Symptom
The combination of the hardware platform and offered software features render the product in question affected by the vulnerabilities identified by the following Common Vulnerability and Exposures (CVE) IDs:
CVE-2017-5715 - Branch Target Injection Side-Channel Information Disclosure Vulnerability (aka Spectre)
CVE-2017-5753 - Bounds Check Bypass Side-Channel Information Disclosure Vulnerability (aka Spectre)
CVE-2017-5754 - Rogue Data Cache Load Side-Channel Information Disclosure Vulnerability (aka Meltdown)
Conditions
Cisco WAAS Hardware Appliances WAVE-274, WAVE-474, WAVE-574, WAVE-294, WAVE-594, and WAVE-694 running WAAS Software version 5.x or prior with an untrusted system in a Virtual Blade are affected.
Workaround
Disable Virtual Blades or ensure only trusted code is executed.
Further Problem Description
WAAS WAVE-274, WAVE-474, and WAVE-574 hardware appliances reached end of hardware support on August 31st, 2017.
Devices running WAAS version 6.x do not support Virtual Blade devices and are not considered vulnerable.
Cisco WAAS WAVE-7541, WAVE-7571, and WAVE-8541 devices do not support the Virtual Blade feature while running any version of Cisco WAAS Software.
Customers are advised to migrate to version 6.x of WAAS software if possible.
PSIRT Evaluation:
The Cisco PSIRT has assigned this bug the following CVSS version 3 score. The Base CVSS score as of the time of evaluation is 5.3:
https://tools.cisco.com/security/center/cvssCalculator.x?version=3.0&vector=AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
