NIAP: Assurance Continuity
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - Maintenance Update for: CyberFence 3e-636 Series Network Security Devices

Date of Maintenance Completion:  2018.06.18

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 1.0

Original Evaluated TOE:  2017.09.20 - 3eTI CyberFence 3e-636 Series

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

The vendor asserts that changes to the TOE were not required to address those vulnerabilities because:

·         testing using a Spectre detection tool (which was recompiled by 3eTI for the 32 bit processor) produced negative results.  The detection tool source code originated with example code described in: "Spectre Attacks: Exploiting Speculative Execution" (https://spectreattack.com/spectre.pdf).  That code, and subsequent modifications, were based upon sample code available at: https://gist.github.com/miniupnp/9b701e87f14ad3e0a455cfb54ba99fed.

·         the TOE Freescale MPC8378 CPU e300 core, which is based upon PPC 603 32-bit core architecture, is not vulnerable to Meltdown attacks as detailed at the official Meltdown CVE information pages: https://nvd.nist.gov/vuln/detail/CVE-2017-5754/ and https://nvd.nist.gov/vuln/detail/CVE-2017-5754/cpes. In particular:

o   Meltdown is limited to certain Intel-only x86 products which perform out-of-order execution.  Non-Intel x86 implementations (i.e. AMD) are not inherently affected, and the TOE’s FreeScale CPU core is not on listed as vulnerable to Meltdown on the CVE page.

·         the vendor claims that no additional relevant vulnerabilities were discovered during an updated search of the following sites:

o   National Vulnerability Database (https://web.nvd.nist.gov/vuln/search),

o   Vulnerability Notes Database (http://www.kb.cert.org/vuls/),

o   Rapid7 Vulnerability Database (https://www.rapid7.com/db/vulnerabilities),

o   Tipping Point Zero Day Initiative  (http://www.zerodayinitiative.com/advisories ),

o   Exploit / Vulnerability Search Engine (http://www.exploitsearch.net),

o   SecurITeam Exploit Search (http://www.securiteam.com),

o   Offensive Security Exploit Database (https://www.exploit-db.com/)

o   Tenable Network Security (http://nessus.org/plugins/index.php?view=search),

Therefore, no security relevant changes were made to the TOE:

·         no changes to hardware, software or firmware

·         no model version identification changes,

·         no additional platforms are claimed as part of this maintenance. 

The evaluation evidence consists of the Impact Analysis Report (IAR) and supporting vulnerability analysis update, dated May 24, 2018.

The original evaluation was performed against the collaborative Protection Profile for Network Devices Version 1.0 and the ST referenced validated CAVP certificates. No changes were made to the processor and therefore no modifications were required to any of the valid NIST certificates.

Vendor Information

Logo
Ultra-3eTI
Harinder Sood
1-301-670-6779
1-301-670-6989
info@ultra-3eti.com

https://www.niap-ccevs.org/exit/?site=www.ultra-3eti.com
Site Map              Contact Us              Home