Is there any exposure to the Intel Meltdown/Spectre kernel memory vulnerabilities?

Updated: 8 January 2018

In January 2018, a vulnerability was discovered in all versions of the Intel X86-64 processor architecture that can cause arbitrary memory leakage, possibly including code execution or the dissemination of critical protected information (such as passwords) contained in memory. These are referred to as the Meltdown and Spectre vulnerabilities, formally known as CVE-2017-5753, CVE-2017-5754 and CVE-2017-5715.

BMC Helix Network Management has evaluated this vulnerability and determined that our products are NOT vulnerable to these exploits, and that they pose no increased risk to BMC Helix Network Management appliances. Although BMC Helix Network Management hardware appliances use Intel processors which are affected by this issue, BMC Helix Network Management does not permit users to upload or execute code on the system and provides no command line (CLI) shell access to users, making it effectively impossible to exploit this vulnerability.

Exploiting these vulnerabilities would require an attacker to have already established local arbitrary code execution; in other words, the system would need to already be successfully exploited. An attacker that has gained the ability to execute arbitrary code on a BMC Helix Network Management appliance will not gain any significant additional capability through exploitation of Meltdown or Spectre attacks on the device.

In practice, the risk of this type of exploit for BMC Helix Network Management customers is very low anyway, as BMC Helix Network Management is typically deployed behind the customer firewall and is not publicly accessible to outside attackers. BMC Helix Network Management also includes intrusion prevention technology to dynamically respond to attempts to gain unauthorized access. Please see the Appliance Security page for more information.

If you have any concerns, please feel free to contact BMC Helix Support.