CVE-2017-5754, CVE-2017-5753 and CVE-2017-5715 Information regarding speculative execution Meltdown and Spectre vulnerabilities.
Vulnerability Detail
On January 3, 2018 it was formally announced that researchers had found three vulnerabilities that take advantage of the implementation of speculative execution of instructions on many modern microprocessor architectures to perform side-channel information disclosure attacks.
The first of these vulnerabilities is Meltdown (CVE-2017-5754). Meltdown, can enable hackers to gain privileged access to parts of a computer\u2019s memory used by an application/program and the operating system (OS). Meltdown only affects Intel processors.
The second and third vulnerabilities are rolled under the Spectre moniker (CVE-2017-5753 and CVE-2017-5715). Spectre can allow attackers to steal information leaked in the kernel/cached files or data stored in the memory of running programs, such as credentials (passwords, login keys, etc.). According to Google Project Zero, this vulnerability impacts Intel, AMD, and ARM chips.
Tera2 Zero Clients, Tera2 Remote Workstation Cards and Hardware Accelerator
We have confirmed that the MIPS processor models used in our Tera2 Zero Clients,Tera2 Remote Workstation Cards, and Hardware Accelerator are not impacted by the exploitation techniques described in the Spectre and Meltdown vulnerabilities.
All other products
Teradici continues to investigate all of our product line to determine which (if any) products might be impacted. We will update the support website and all relevant Knowledge base articles as we complete our investigations and more information becomes available. A summary of our current findings can be found in the table below:
|
Product |
Spectre 1 |
Spectre 2 |
Meltdown |
|
Tera2 Remote Workstation Card |
Not Vulnerable |
Not Vulnerable |
Not Vulnerable |
|
Tera2 Zero Client |
Not Vulnerable |
Not Vulnerable |
Not Vulnerable |
|
Hardware Accelerator |
Not Vulnerable |
Not Vulnerable |
Not Vulnerable |
|
HP Anyware |
Not Vulnerable* |
Not Vulnerable* |
Not Vulnerable* |
|
Connection Manager for Amazon Workspace (TAA) |
Reboot the the PCoIP Connection Manager for Amazon WorkSpaces as unattended updates is enabled by default. Teradici will also release a new version. See PCoIP Products and Releases for product updates |
Reboot the the PCoIP Connection Manager for Amazon WorkSpaces as unattended updates is enabled by default. Teradici will also release a new version. See PCoIP Products and Releases for product updates |
Reboot the the PCoIP Connection Manager for Amazon WorkSpaces as unattended updates is enabled by default. Teradici will also release a new version. See PCoIP Products and Releases for product updates |
|
Connection Manager/Security Gateway |
Not Vulnerable* |
Not Vulnerable* |
Not Vulnerable* |
|
Host Software |
Not Vulnerable* |
Not Vulnerable* |
Not Vulnerable* |
|
License Server 1.x/2.0 |
Not Vulnerable* |
Not Vulnerable* |
Not Vulnerable* |
|
Management Console 1.x |
Under Review |
Under Review |
Under Review |
|
Management Console 2.x/3.x |
Teradici has released a new version with CentOS updates. See PCoIP Products and Releases for product updates. Note: Customers can continue to update CentOS using sudo yum update as CentOS release further updates. |
Teradici has released a new version containing an updated VM Hardware version. See PCoIP Products and Releases for product updates. SeeHow to upgrade the PCoIP Management Console VMware Virtual Machine hardware version for VM hardware upgrade overview. Patching of the ESXi server will be required as patches are made available from VMware. VMware security information on VM Hardware version: https://www.vmware.com/us/security/advisories/VMSA-2018-0004.html. |
Teradici has released a new version with CentOS updates. See PCoIP Products and Releases for product updates. Note: Customers can continue to update CentOS using sudo yum update as CentOS release further updates. |
|
Software Clients |
Not Vulnerable* |
Not Vulnerable* |
Not Vulnerable* |
*Not Vulnerable: It is important to note that that a Teradici product that may be deployed on an OS, as a virtual machine or a container, even while not being directly affected by any of these vulnerabilities, could be targeted by such attacks if the hosting environment is vulnerable. Teradici recommends customers harden their virtual environment and to ensure that all security updates are installed. Also, please be aware that as this is an ongoing investigation, products considered not vulnerable may become Vulnerable if additional information becomes available.
Operating System Updates: Updates have been made available for many of the major operating systems to mitigate both Spectre (1,2) and Meltdown. These updates can be applied to products delivered in a virtual appliance format. However, you should verify the performance of the system prior to running it in products by testing on a test system or performing a snapshot backup of the appliance prior to updating.