This page outlines how the Meltdown (CVE 2017-5715) and Spectre (CVE-2017-5753, CVE-2017-5754) vulnerabilities apply to BrightSign players and the BrightSign Network. This statement is based on information from Broadcom (the SoC supplier for BrightSign), Arm (the CPU vendor for Broadcom), and others.

The Meltdown vulnerability has two variants: Variant 3 is common to all Intel x86 CPUs and a single Arm CPU core design, while Variant 3a is a minor vulnerability related to Arm CPUs.

https://nvd.nist.gov/vuln/detail/CVE-2017-5715

Since BrightSign players do not use Intel CPUs or the affected Arm CPU core design, they are not affected by this variant. 

https://developer.arm.com/support/security-update

This vulnerability is present in the following BrightSign models: XTx43, XDx33, HDx23, LS423, and 4Kx42. This is a highly restricted variant of the Meltdown vulnerability and does not provide access to device memory. Neither Arm nor BrightSign believe that mitigations for this issue are necessary.

The Spectre vulnerabilities affect the following models: XTx43, XDx33, HDx23, LS423, and 4Kx42. They may also affect the XDx32. 

To exploit these vulnerabilities, an attacker must be able to run arbitrary code on a device; however, 

 BrightSign players do not respond to requests from other sources on the network, and BrightSign recommends only retrieving/running content from trusted sources (such as a secure webpage, the BrightSign Network, or a BrightSign CMS partner). Even without using Spectre vulnerabilities, an attacker could–if secure practices are not used–inject code using standard JavaScript/BrightScript libraries to steal sensitive information or affect the behavior of the player.

, there are a number of mitigations that improve the resilience of BrightSign players against the Spectre vulnerabilities:

BrightSign will continue to monitor further security developments and employ new mitigations when appropriate.

BrightSignNetwork.com, BSN.Cloud, BSNEE, and BrightAuthor:connected do not use log4j and are not impacted by the related vulnerability.

BrightSignOS does not contain Java. We do package the Java runtime as an extension: any customers who use the Java extension should audit their application to confirm if they use log4j, and if so, use a patched version that is not susceptible to 

All BSN servers are hosted using Amazon Web Services (AWS). Amazon has patched all instances on their EC2 service to protect from the Meltdown and Spectre vulnerabilities.

The BrightSign Network only runs trusted code on its servers, and 

 protect BSN from various forms of attack that would allow for arbitrary code to be run on BSN server instances.

Ripple20

Log4J, Meltdown & Spectre Vulnerabilities

This is our legacy cloud platform. Our latest cloud platform is BSN.Cloud which consists of the free bsn.Control and the paid bsn.Content tiers. Development of BSN has largely ceased and will eventually be deprecated and replaced with BSN.Cloud.

BrightSign_Network_BSN

BrightSign’s *legacy* app for authoring and managing players. The app's actual name is BrightAuthor but is referred to as BrightAuthor Classic to lessen confusion with BrightAuthor:connected, our latest app.

BrightAuthor_Classic

BrightSign’s latest free, all-in-one app for player setup / management, authoring, and content management.

BrightAuthorconnected

The BSN.Cloud record of a player and its Setup. The Default Setup is assigned to the player unless another Setup has been explicitly set.

Provision_Record

The process where a Setup is delivered and applied to a player by BSN.Cloud.

Provision

A set of files containing player settings (player name, description, time zone, Publishing Mode, network settings, etc.) and an autorun.brs file which instructs the player what to do upon bootup.