Barco service bulletin

15/01/2018 – Spectre and Meltdown vulnerabilities on BCM products

1. SECURITY NOTE – GREEN BCM AFFECTED BY

SPECTRE

1.1. General

Summary

Researchers have discovered and published three flaws in the CPU data cache
timing, which is present in nearly all modern processors. These flaws allow
users with malicious intents to read out privileged memory and obtain sensitive
information which would otherwise be inaccessible.

The researchers dubbed their attacks Meltdown and Spectre. More information
can be found on https://meltdownattack.com.

Exposure

The vulnerabilities could be exploited remotely by abusing another vulnerability

e.g. in the web interface of the green BCM box ; Due to the defense-in-depth
model we apply on the green BCM box, the risk these vulnerabilities can be
exploited is estimated as very low.

Please note, the gBCMC does not hold any customer specific data, and should
this vulnerabilitie be executed, there is no customer/external usable data stored
on the gBCMC which could be retrieved.

Impact

These attacks have impact on the Green BCM box solution because it is a
hardware design flaw, and the vulnerabilities are impacting most modern
processors.

Affected BCM Controllers:

Name Part Nr. Spectre Meltdown
Green BCM Box R766134 Yes No
PICO Box BCMC R9843790 No No

Barco n.v.
Page 1 of 2
President Kennedypark 35, B-8500 Kortrijk, Belgium

www.barco.com
Barco service bulletin
CVE identifiers

Several Common Vulnerabilities and Exposures (CVE) identifiers were assigned

to track all specific instantiations of the Spectre and Meltdown attack.

Spectre vulnerability identifiers:

 CVE-2017-5753: Systems with microprocessors utilizing speculative

execution and branch prediction may allow unauthorized disclosure of
information to an attacker with local user access via a side-channel analysis.
 CVE-2017-5715: Systems with microprocessors utilizing speculative
execution and indirect branch prediction may allow unauthorized disclosure
of information to an attacker with local user access via a side-channel
analysis.

Meltdown vulnerability identifier:

 CVE-2017-5754: Systems with microprocessors utilizing speculative

execution and indirect branch prediction may allow unauthorized disclosure
of information to an attacker with local user access via a side-channel
analysis of the data cache.

Exploitation

Barco is not aware of any malicious use against green BCM box of the
vulnerabilities that are described in this note.

Mitigation

Barco confirms that the affected Green BCM box needs to be patched in order
to mitigate the vulnerabilities mentioned above. Barco is aligning with the R&D
teams and processor suppliers to provide a patch as soon as possible.

Legal Advisory

This document is provided on an "as is" basis. It does NOT imply any kind of
guarantee or warranty. Barco reserves the right to update this document at any
time, to reflect new information.

Barco n.v.
Page 2 of 2
President Kennedypark 35, B-8500 Kortrijk, Belgium

www.barco.com