Article Number
000036372
CVE ID
000036372
Article Summary
RSA is aware of the side-channel vulnerabilities known as Speculative Store Bypass (CVE-2018-3639) and Rogue System Register Read (CVE-2018-3640) affecting many modern microprocessors that were published by researchers from Microsoft Security Response Center (MSRC) and Google Project Zero on 21 May 2018. An unprivileged attacker with local user access to the system could potentially exploit these vulnerabilities to read privileged memory data. For more information, please review security updates posted by Intel. RSA is investigating the impact of these issues on our products. We will update this article regularly with impact details and mitigation steps as they become available. Mitigation steps may vary by product and may require updates to processor microcode (BIOS), Operating System (OS), Virtual Machine Manager (VMM), and other software components. RSA recommends customers follow security best practices for malware protection to help prevent possible exploitation of these vulnerabilities until any future updates can be applied. These practices include, but are not limited to, promptly deploying software updates, avoiding unknown hyperlinks and websites, never downloading files or applications from unknown sources, and employing up-to-date anti-virus and advanced threat protection solutions.
Link to Advisories
Intel Security Advisory INTEL-SA-00115: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html
Intel Security Microsite: https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html
ADV180012 - Microsoft Guidance for Speculative Store Bypass for CVE-2018-3639: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012
ADV180013 - Microsoft Guidance for Rogue System Register Read for CVE-2018-3640: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180013
Microsoft Security Research and Defense blog: https://aka.ms/sescsrdssb
Google Project Zero Blog: https://bugs.chromium.org/p/project-zero/issues/detail?id=1528
Resolution
RSA Product Name
Versions
Impact Status
Details
Last Updated
3D Secure / Adaptive Authentication eCommerce
Current Hosted Environment
No additional security risk
See Note 2.
2018-05-30
Access Manager
6.2
No direct impact
See Note 1.
2018-05-21
Adaptive Authentication Cloud
Current Hosted Environment
No additional security risk
See Note 2.
2018-05-30
Adaptive Authentication Hosted
Current Hosted Environment
No additional security risk
See Note 2.
2018-05-30
Adaptive Authentication On-Prem
All Supported
No direct impact
See Note 1.
2018-05-21
Archer Hosted (US)
Current Hosted Environment
No additional security risk
See Note 2.
2018-05-30
Archer Hosted (EMEA)
Current Hosted Environment
No additional security risk
See Note 2.
2018-05-30
Archer Platform
All Supported
No direct impact
See Note 1.
2018-05-21
Archer Security Operations Management (SecOps)
All Supported
No direct impact
See Note 1.
2018-05-21
Archer Vulnerability & Risk Manager (VRM) - Hardware Appliance
All Supported
No additional security risk
See Note 3.
2018-05-21
Archer Vulnerability & Risk Manager (VRM) - Virtual Appliance
All Supported
No additional security risk
See Note 3. Customers are strongly advised to patch the virtual host environment where the product is deployed for full protection.
2018-05-21
Authentication Manager (Hardware Appliance - Dell PowerEdge & Intel platforms)
All Supported
No additional security risk
See Note 3.
2018-05-21
Authentication Manager (Virtual Appliance)
All Supported
No additional security risk
See Note 3. Customers are strongly advised to patch the virtual host environment where the product is deployed for full protection.
2018-05-21
Authentication Manager Web Tier
All Supported
No direct impact
See Note 1.
2018-05-21
BSAFE C Products: MES, Crypto-C ME, SSL-C
All Supported
No direct impact
See Note 1.
2018-05-21
BSAFE Java Products: Cert-J, Crypto-J, SSL-J
All Supported
No direct impact
See Note 1.
2018-05-21
Data Loss Prevention (Hardware Appliance)
All Supported
Impacted
Remediation plan in progress.
2018-05-21
Data Loss Prevention (Virtual Appliance)
All Supported
Impacted
Remediation plan in progress. Customers are strongly advised to patch the virtual host environment where the product is deployed for full protection.
2018-05-21
Data Protection Manager (Software)
All Supported
No direct impact
See Note 1.
2018-05-21
Data Protection Manager (Hardware Appliance)
All Supported
Impacted - Remediated
RSA Data Protection Manager 3.5.2.7 contains resolution for this issue. For more details, refer to the security advisory DSA-2018-189.
2018-10-02
Data Protection Manager (Virtual Appliance)
All Supported
Impacted - Remediated
RSA Data Protection Manager 3.5.2.7 contains resolution for this issue. For more details, refer to the security advisory DSA-2018-189. Customers are strongly advised to patch the virtual host environment where the product is deployed for full protection.
2018-10-02
DCS: Certificate Manager
6.9
No direct impact
See Note 1.
2018-05-21
DCS: Validation Manager
3.2
No direct impact
See Note 1.
2018-05-21
eFraudNetwork (eFN)
Current Hosted Environment
No additional security risk
See Note 2.
2018-05-30
enVision
EOL
The product has reached End of Life.
2018-05-21
Federated Identity Manager
4.2
No direct impact
See Note 1.
2018-05-21
FraudAction (OTMS)
Current Hosted Environment
No additional security risk
See Note 2.
2018-05-30
Identity Governance & Lifecycle (Software), Via Lifecycle & Governance (Software), Identity Management & Governance (Software)
7.1, 7.0.2, 7.0.1, 7.0, 6.9.1, 6.9.0
No direct impact
See Note 1.
2018-05-21
Identity Governance & Lifecycle (Hardware Appliance), Via Lifecycle & Governance (Hardware Appliance), Identity Management & Governance (Hardware Appliance)
7.1, 7.0.2, 7.0.1, 7.0, 6.9.1, 6.9.0
Impacted - Remediated
Refer to the Dell security advisory DSA-2018-179 for OS and BIOS updates. Any Remote Agents or Remote AFX deployed in customer environment are a software product only and have no direct impact. See Note 1.
2018-09-25
Identity Governance & Lifecycle (Virtual Application)
7.1
Impacted - Remediated
Refer to the Dell security advisory DSA-2018-179 for OS updates. Customers are strongly advised to patch the virtual host environment where the product is deployed for full protection. Any Remote Agents or Remote AFX deployed in customer environment are a software product only and have no direct impact. See Note 1.
2018-09-25
Identity Governance & Lifecycle SaaS / MyAccessLive
Under investigation
Any Remote Agents or Remote AFX deployed in customer environment are a software product only and have no direct impact. See Note 1.
2018-05-21
NetWitness Endpoint (ECAT)
All Supported
No direct impact
See Note 1.
2018-05-21
NetWitness Logs & Packets / Security Analytics (Hardware Appliance)
All Supported
No additional security risk
See Note 3.
2018-05-21
NetWitness Logs & Packets / Security Analytics (Virtual Appliance)
All Supported
No additional security risk
See Note 3. Customers are strongly advised to patch the virtual host environment where the product is deployed for full protection.
2018-05-21
NetWitness Logs & Packets / Security Analytics - Legacy Windows Collector
All Supported
No direct impact
See Note 1.
2018-05-21
NetWitness Live Infrastructure
Current Hosted Environment
No additional security risk
See Note 2.
2018-05-30
RSA Authentication Client (RAC)
All Supported
No direct impact
See Note 1.
2018-05-21
RSA Central
Current Hosted Environment
No additional security risk
See Note 2.
2018-05-30
SecurID Access Cloud Service
Current Hosted Environment
No additional security risk
See Note 2.
2018-05-30
SecurID Access IDR VM
All Supported
No additional security risk
See Note 2. Customers are strongly advised to patch the virtual host environment where the product is deployed for full protection.
2018-05-21
SecurID Agent for PAM
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Agent for Web
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Agent for Windows
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Authenticate App for Android
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Authenticate App for iOS
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Authenticate App for Windows 10
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Authentication Engine
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Authentication SDK
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Software Token Converter
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Software Token for Android
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Software Token for Blackberry
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Software Token for Desktop
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Software Token for iPhone
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Software Token for Windows Mobile
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Software Token Toolbar
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Software Token Web SDK
All Supported
No direct impact
See Note 1.
2018-05-21
SecurID Transaction Signing SDK
All Supported
No direct impact
See Note 1.
2018-05-21
SYN
Current Hosted Environment
No additional security risk
See Note 2.
2018-05-30
Web Threat Detection
All Supported
No direct impact
See Note 1.
2018-05-21
Note 1: It is a software product only. Reported vulnerabilities are best mitigated via firmware and operating system updates. Customers are strongly advised to patch their host systems where the product is installed. Note 2: To take advantage of these vulnerabilities, an attacker first must be able to run malicious code on the targeted system. The product is designed to prevent users from loading and executing any external and/or untrusted code on the system. The reported issues do not introduce any additional security risk to the product. Note 3: To take advantage of these vulnerabilities, an attacker first must be able to run malicious code on the targeted system. Access to the product to load external and/or potentially untrusted code is restricted to users with root or root-equivalent privileges only. The reported issues do not introduce any additional security risk to the product, provided the recommended best practices to protect the access of highly privileged account are followed.
View full article