January 5, 2018
CVE Security Bulletin
Customer Advisory Notice (CAN)
Subject: CVE-2017-5715 and CVE-2017-5753 (Spectre), CVE-2017-5754 (Meltdown)
System: SyncServer S600/S650 Network Time Servers
Product Identity: SyncServer S600/S650 CLEI Code: N/A
090-15200-600 090-15200-601 090-15200-602
090-15200-603 090-15200-604 090-15200-605
090-15200-606 090-15200-650 090-15200-651
CVE-2017-5715/5753 (Spectre) and CVE-2017-5754 (Meltdown) target the way modern processors operate and manage memory. Microsemi SyncServer network time servers are not vulnerable to this type of threat as these exploits require local root access to the machine and the ability to upload and run very specific software programs while measuring the number of clock cycles required to perform the operations. Embedded systems, such as the SyncServers, are not vulnerable to these types of exploits as they do not in general allow local user accounts with privileges to upload and execute programs.
Recommended Actions: SyncServers are intended to be protected behind a firewall. In addition, the management interface should be protected from unauthorized users.
SyncServer S600/S650: No action required.
SyncServer S200/S250: These models are discontinued, are not current with respect to CVE mitigation, and as such are vulnerable to known CVEs. Microsemi highly recommends replacement with the SyncServer S600/S650 models which are actively maintained with respect to CVE mitigation.
SyncServer S300/S350: These models are discontinued, are not current with respect to CVE mitigation, and as such are vulnerable to known CVEs. Microsemi highly recommends replacement with the SyncServer S600/S650 models which are actively maintained with respect to CVE mitigation.
Microsemi R&D, Technical Support, Quality and Product Management regularly review applicable CVEs and how best to respond. The severity and applicability of the identified CVE influences the type and timeliness of the response. The intent is to respond within industry standard response times and to document Microsemi actions.
In some cases vulnerabilities may appear in the list above (or in the future) as being present in the S600 Series SyncServer. Microsemi may or may not choose to address the vulnerability based on the applicability to the product and its intended use. If a vulnerability is relevant to the operation of the product then addressing it in a future release will be the plan.
The Microsemi online support portal will be the repository for documented CVEs as they relate to the SyncServer S600 Series products.