Microsemi Corporation – CVE Security Bulletin
January 5, 2018
Microsemi CVE Security Bulletin for Syncserver S600/S650 Network Time Servers
Customer Advisory Notice (CAN)
Subject: CVE-2017-5715 and CVE-2017-5753 (Spectre), CVE-2017-5754 (Meltdown)
System: SyncServer S600/S650 Network Time Servers
Product Identity: SyncServer S600/S650 CLEI Code: N/A
Product Code(s):
090-15200-600 090-15200-601 090-15200-602
090-15200-603 090-15200-604 090-15200-605
090-15200-606 090-15200-650 090-15200-651
090-15200-652 090-15200-653
CVE-2017-5715/5753 (Spectre) and CVE-2017-5754 (Meltdown) target the way modern processors operate and manage memory. Microsemi SyncServer network time servers are not vulnerable to this type of threat as these exploits require local root access to the machine and the ability to upload and run very specific software programs while measuring the number of clock cycles required to perform the operations. Embedded systems, such as the SyncServers, are not vulnerable to these types of exploits as they do not in general allow local user accounts with privileges to upload and execute programs.
Recommended Actions: SyncServers are intended to be protected behind a firewall. In addition, the management interface should be protected from unauthorized users.
SyncServer S600/S650: No action required.
Sources:
https://www.microsemi.com/document-portal/doc_download/135737-datasheet-syncserver-s650
https://www.microsemi.com/campaigns/network-time-servers/syncserver-s600/?url=https://www.microsemi.com/campaigns/network-time-servers/S650p/%3Fgd%3D1&id=5&gclid=Cj0KCQjwjbyYBhCdARIsAArC6LL-202ej5YfDB5lMIMSZ2735qjo5yaj2i-PrvLv2Cnh_kIJtFJ0oF8aAlMpEALw_wcB
SyncServer S200/S250: These models are discontinued, are not current with respect to CVE mitigation, and as such are vulnerable to known CVEs. Microsemi highly recommends replacement with the SyncServer S600/S650 models which are actively maintained with respect to CVE mitigation.
SyncServer S300/S350: These models are discontinued, are not current with respect to CVE mitigation, and as such are vulnerable to known CVEs. Microsemi highly recommends replacement with the SyncServer S600/S650 models which are actively maintained with respect to CVE mitigation.
Microsemi Action:
Microsemi R&D, Technical Support, Quality and Product Management regularly review applicable CVEs and how best to respond. The severity and applicability of the identified CVE influences the type and timeliness of the response. The intent is to respond within industry standard response times and to document Microsemi actions.
In some cases vulnerabilities may appear in the list above (or in the future) as being present in the S600 Series SyncServer. Microsemi may or may not choose to address the vulnerability based on the applicability to the product and its intended use. If a vulnerability is relevant to the operation of the product then addressing it in a future release will be the plan.
The Microsemi online support portal will be the repository for documented CVEs as they relate to the SyncServer S600 Series products.
About Syncworks
Syncworks is a the national leader in GPS security. Critical infrastructure in the US is a top priority at the highest level of government. Our mission is to enable, educate, and support efforts to become complaint with celestial and terrestrial GPS systems working together.
Our flagship product, the TimeProvider® 4500, is a gateway clock that accepts multiple inputs from Global Navigation Satellite Systems (GNSS), Synchronous Ethernet (SynE), and IEEE 1588 PTP Grandmaster Clock and E1/T1 digital transmission links.
As of January 1, 2024, we have expanded our Field Services to include Antenna Installation and Entrance Facility Cabling, Legacy Equipment Decom and Traffic Migration, Disposal (hazmat) Services, Radio Commissioning (MW, P-LTE, CBRS), Enterprise Wi-Fi.
For more information, contact sales@syncworks.com or call (904) 280-1234