The Spectre and Meltdown CPU design flaw bugs that emerged in early January 2018 are still creating work for users.
Cisco last week issued a Field Notice to users of its Content Delivery Engine products, hefty servers packed chock full of disks and I/O option to stream video across a LAN or the Internet, or enable services like cloud DVRs.
The Field Notice reveals that the devices are actually built on Intel CPUs and Supermicro servers, so are vulnerable to Spectre and Meltdown.
Or as Cisco puts it, “CDE250/460/465 systems use third party CPUs that are potentially vulnerable. However, these products are closed systems which do not allow custom code to be run on them. While these systems are not currently included in the vulnerable product list in the security advisory below, this BIOS update is available as a precautionary measure.”
So even though the devices are hard to penetrate, they've gone without specific remediation for 15 months. And Cisco thinks they might just need it.
Which is just a little bit terrifying as the official Meltdown and Spectre FAQ states:
Q: Has Meltdown or Spectre been abused in the wild?
A: We don't know.
And just to make things even more amusing, the FAQ also includes the following couplet.
Q: Can I detect if someone has exploited Meltdown or Spectre against me?
A: Probably not. The exploitation does not leave any traces in traditional log files.
Installing a new BIOS isn’t a quick job. And it’s understandable if users have stopped checking to see if server vendors, or third parties that pack servers into appliances, have issued any new fixes.
Cisco’s Field Notice is therefore a warning to both fix up any Content Delivery Engines you own, and revisit other product to see if any other Spectre and Meltdown fixes have landed lately.