Security Statement: Log4J, Meltdown and Spectre Vulnerabilities
This page outlines how the Meltdown (CVE 2017-5715) and Spectre (CVE-2017-5753, CVE-2017-5754) vulnerabilities apply to BrightSign players and the BrightSign Network. This statement is based on information from Broadcom (the SoC supplier for BrightSign), Arm (the CPU vendor for Broadcom), and others.
BrightSign Players
Meltdown
The Meltdown vulnerability has two variants: Variant 3 is common to all Intel x86 CPUs and a single Arm CPU core design, while Variant 3a is a minor vulnerability related to Arm CPUs.
Variant 3
https://nvd.nist.gov/vuln/detail/CVE-2017-5715
Since BrightSign players do not use Intel CPUs or the affected Arm CPU core design, they are not affected by this variant.Â
Variant 3a
https://developer.arm.com/support/security-update
This vulnerability is present in the following BrightSign models: XTx43, XDx33, HDx23, LS423, and 4Kx42. This is a highly restricted variant of the Meltdown vulnerability and does not provide access to device memory. Neither Arm nor BrightSign believe that mitigations for this issue are necessary.
Spectre
The Spectre vulnerabilities affect the following models: XTx43, XDx33, HDx23, LS423, and 4Kx42. They may also affect the XDx32.Â
To exploit these vulnerabilities, an attacker must be able to run arbitrary code on a device; however, securely configured BrightSign players do not respond to requests from other sources on the network, and BrightSign recommends only retrieving/running content from trusted sources (such as a secure webpage, the BrightSign Network, or a BrightSign CMS partner). Even without using Spectre vulnerabilities, an attacker could–if secure practices are not used–inject code using standard JavaScript/BrightScript libraries to steal sensitive information or affect the behavior of the player.
Mitigation
Aside from standard best practices, there are a number of mitigations that improve the resilience of BrightSign players against the Spectre vulnerabilities:
The BrightSign implementation of the Chromium web browser does not enable WebAssembly or SharedArrayBuffer.
The BPF Just In Time complier is not enabled on BrightSign players.
Chrome 64 contains mitigations to protect against the Spectre vulnerabilites. BrightSign will evaluate these patches and determine whether to include them in a firmware update.
BrightSign will continue to monitor further security developments and employ new mitigations when appropriate.
Java Apache Log4j
BrightSignNetwork.com, BSN.Cloud, BSNEE, and BrightAuthor:connected do not use log4j and are not impacted by the related vulnerability.
BrightSignOS does not contain Java. We do package the Java runtime as an extension: any customers who use the Java extension should audit their application to confirm if they use log4j, and if so, use a patched version that is not susceptible to CVE-2021-44228.
BrightSign Network
All BSN servers are hosted using Amazon Web Services (AWS). Amazon has patched all instances on their EC2 service to protect from the Meltdown and Spectre vulnerabilities.
The BrightSign Network only runs trusted code on its servers, and stringent security policies protect BSN from various forms of attack that would allow for arbitrary code to be run on BSN server instances.