Microsemi Corporation – CVE Security Bulletin
January 5, 2018
Microsemi CVE Security Bulletin for Syncserver S600/S650 Network Time Servers
Customer Advisory Notice (CAN)
Subject: CVE-2017-5715 and CVE-2017-5753 (Spectre), CVE-2017-5754 (Meltdown)
System: SyncServer S600/S650 Network Time Servers
Product Identity: SyncServer S600/S650 CLEI Code: N/A
Product Code(s):
090-15200-600 090-15200-601 090-15200-602
090-15200-603 090-15200-604 090-15200-605
090-15200-606 090-15200-650 090-15200-651
090-15200-652 090-15200-653
CVE-2017-5715/5753 (Spectre) and CVE-2017-5754 (Meltdown) target the way modern processors operate and manage memory. Microsemi SyncServer network time servers are not vulnerable to this type of threat as these exploits require local root access to the machine and the ability to upload and run very specific software programs while measuring the number of clock cycles required to perform the operations. Embedded systems, such as the SyncServers, are not vulnerable to these types of exploits as they do not in general allow local user accounts with privileges to upload and execute programs.
Recommended Actions: SyncServers are intended to be protected behind a firewall. In addition, the management interface should be protected from unauthorized users.
SyncServer S600/S650: No action required.
Sources:
https://www.microsemi.com/document-portal/doc_download/135737-datasheet-syncserver-s650
https://www.microsemi.com/campaigns/network-time-servers/syncserver-s600/?url=https://www.microsemi.com/campaigns/network-time-servers/S650p/%3Fgd%3D1&id=5&gclid=Cj0KCQjwjbyYBhCdARIsAArC6LL-202ej5YfDB5lMIMSZ2735qjo5yaj2i-PrvLv2Cnh_kIJtFJ0oF8aAlMpEALw_wcB
SyncServer S200/S250: These models are discontinued, are not current with respect to CVE mitigation, and as such are vulnerable to known CVEs. Microsemi highly recommends replacement with the SyncServer S600/S650 models which are actively maintained with respect to CVE mitigation.
SyncServer S300/S350: These models are discontinued, are not current with respect to CVE mitigation, and as such are vulnerable to known CVEs. Microsemi highly recommends replacement with the SyncServer S600/S650 models which are actively maintained with respect to CVE mitigation.
Microsemi Action:
Microsemi R&D, Technical Support, Quality and Product Management regularly review applicable CVEs and how best to respond. The severity and applicability of the identified CVE influences the type and timeliness of the response. The intent is to respond within industry standard response times and to document Microsemi actions.
In some cases vulnerabilities may appear in the list above (or in the future) as being present in the S600 Series SyncServer. Microsemi may or may not choose to address the vulnerability based on the applicability to the product and its intended use. If a vulnerability is relevant to the operation of the product then addressing it in a future release will be the plan.
The Microsemi online support portal will be the repository for documented CVEs as they relate to the SyncServer S600 Series products.
About Syncworks
Syncworks is a the national leader in turnkey network timing that includes GPS security. We are a trusted integrator to some of the nation's largest networks. Syncworks Field Services specializes in mission-critical communications infrastructure, offering a comprehensive range of services.
Core Services: Installation and Decommissioning Engineering, Furnishing & Installation (EF&I) Audits and Surveys Project Management
Power Systems: DC power plants and distribution Batteries and inverters Fuse panels, breakers, and fuses Primary and secondary power solutions
Infrastructure: Data cabling (Fiber and Coax) Substructure and ladder racks Relay racks and cabinets ISP and grounding systems
We also provide equipment recycling services.
For more information, contact sales@syncworks.com or call (904) 280-1234