Zyxel is aware of the recently disclosed side-channel attacks affecting a number of modern computer processors, as identified in US-CERT Vulnerability Note VU#584653 with the vulnerability IDs listed in Table 1 below. The attacks are also referred to as Meltdown and Spectre.
What are the vulnerabilities?
The vulnerabilities are related to the CPU hardware implementations that could allow attackers to extract information from instructions that have executed on a CPU using the CPU cache as a side-channel. Exploitation of these vulnerabilities could result in privilege escalation or leak of information.
Currently there are three variants of the attacks, as listed in Table 1.
|Type of attack||CVE IDs||Known as|
|Bounds check bypass||CVE-2017-5753||Spectre attack|
|Branch target injection||CVE-2017-5715||Spectre attack|
|Rouge data cache load||CVE-2017-5754||Meltdown attack|
Impact on Zyxel products and services
Research states that the attack with the highest impact may occur in multi-tenancy systems such as shared server or desktop operation system. Furthermore, all three vulnerabilities require an attacker capable of providing and running untrusted code on affected platform.
Since Zyxel hardware products are running on proprietary systems and designed to run only trusted code under regular conditions, this creates a great barrier against attackers exploiting the mentioned vulnerabilities to target Zyxel products over a network. For Zyxel cloud services, our cloud infrastructure providers have patched the cloud Infrastructure against known attacks. Given the above facts, we assume Meltdown and/or Spectre attacks are only viable if the attack is combined with another local or remote code execution vulnerability, if such vulnerability exists on potentially affected Zyxel products and is successfully exploited.
Therefore, to the best of our knowledge, Zyxel believes our products and services are at low risk from the attacks and no immediate action needs to be taken.
What should I do now to protect myself against the vulnerabilities?
While we believe the impact to Zyxel devices is minimal, we strongly recommend customers to upgrade devices to the latest available firmware for optimal protection. To lower your risks to the Meltdown and Spectre attacks, upgrading the operating systems of your PCs and smartphones to the latest available version will also strengthen the protections.
Zyxel will keep updating the advisory when more information becomes available.
Please contact your local service representatives if you require further information or assistance. To report a vulnerability, please contact firstname.lastname@example.org
Initial release 2018-01-11