15 months after Spectre and Meltdown, the fixes are still flowing

By on
15 months after Spectre and Meltdown, the fixes are still flowing

The Spectre and Meltdown CPU design flaw bugs that emerged in early January 2018 are still creating work for users.

Cisco last week issued a Field Notice to users of its Content Delivery Engine products, hefty servers packed chock full of disks and I/O option to stream video across a LAN or the Internet, or enable services like cloud DVRs.

The Field Notice reveals that the devices are actually built on Intel CPUs and Supermicro servers, so are vulnerable to Spectre and Meltdown.

Or as Cisco puts it, “CDE250/460/465 systems use third party CPUs that are potentially vulnerable. However, these products are closed systems which do not allow custom code to be run on them. While these systems are not currently included in the vulnerable product list in the security advisory below, this BIOS update is available as a precautionary measure.”

So even though the devices are hard to penetrate, they've gone without specific remediation for 15 months. And Cisco thinks they might just need it.

Which is just a little bit terrifying as the official Meltdown and Spectre FAQ states:

Q: Has Meltdown or Spectre been abused in the wild?

A: We don't know.

And just to make things even more amusing, the FAQ also includes the following couplet.

Q: Can I detect if someone has exploited Meltdown or Spectre against me?

A: Probably not. The exploitation does not leave any traces in traditional log files.

Installing a new BIOS isn’t a quick job. And it’s understandable if users have stopped checking to see if server vendors, or third parties that pack servers into appliances, have issued any new fixes.

Cisco’s Field Notice is therefore a warning to both fix up any Content Delivery Engines you own, and revisit other product to see if any other Spectre and Meltdown fixes have landed lately.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © CRN Australia. All rights reserved.
Tags:

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register

Poll

Disties and vendors are pushing their financial services. Are you biting?
Yes - to move away from banks!
Yes - to spread risk
Yes - dipping toes in the water
Not yet - but we like the look of it
No - looked at it and decided not to
No - it's just not right for us
View poll archive

Log In

Username / Email:
Password:
  |  Forgot your password?