Barracuda Networks has been actively investigating the potential impact of CVE-2017-5753, CVE-2017-5715 (Spectre), and CVE-2017-5754 (Meltdown) on our products and services.
Barracuda Appliances: our appliance products do contain hardware affected by the Meltdown and Spectre vulnerabilities. However, Barracuda physical and virtual appliances do not allow execution of untrusted code. This prohibition creates a compensating control that protects our customers from these three vulnerabilities. We are keeping a close eye on the remediation solutions evolving in the community and will phase in additional solutions through software updates when appropriate.
Virtual appliances running on a vulnerable host system are vulnerable to CVE-2017-5715 (Variant 2) from malicious guests on the same host. Customers hosting their own virtual environments should follow the recommendations of their hypervisor manufacturer to update their host systems. The prohibition against execution of untrusted code, in combination with mitigations on the host system, protect our customers from all three vulnerabilities.
Barracuda Appliances deployed in Public Cloud Environments: public cloud vendors have been quick to deploy remediations to their hosting infrastructure to address these issues. The combination of host system mitigations and the compensating controls built into Barracuda virtual appliances protect our customers from all three vulnerabilities.
Advisories from our public cloud partners assuring remediation are included as follows:
- AWS: https://aws.amazon.com/security/security-bulletins/AWS-2018-013/
- Azure: https://azure.microsoft.com/en-us/blog/securing-azure-customers-from-cpu-vulnerability/
- GCP: https://cloud.google.com/compute/docs/security-bulletins
Barracuda Cloud Services: similar to our appliance products, our services prohibit execution of untrusted code in the context of our services. Where untrusted content can execute on hardware in our cloud dedicated to that purpose (e.g. Cloud LiveBoot for Barracuda Backup), we are deploying patches to our hypervisors to mitigate these vulnerabilities.
If you have any questions regarding how these CVEs may impact your Barracuda solutions, please contact our support team by opening a case here or by sending an email to [email protected]