Knowledge Base

Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)


2018-02-20

CVE ID: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

Dell EMC is aware of the side-channel analysis vulnerabilities (also known as Meltdown and Spectre) affecting many modern microprocessors that were publicly described by a team of security researchers on January 3, 2018. We encourage customers to review the Security Advisories in the References section for more information.

Patch Guidance (update 2018-02-08):

Dell EMC has received new microcode from Intel per their advisory that was issued on January 22. Dell EMC is issuing new BIOS updates for the affected platforms to address Spectre (Variant 2), CVE-2017-5715. The Product Tables have been updated and will be updated as more microcode is released by Intel. If your product has an updated BIOS listed, Dell EMC recommends you upgrade to that BIOS and apply the appropriate OS patches to provide mitigation against Meltdown and Spectre.

If your product does not have an updated BIOS listed, Dell EMC still advises that customers should not deploy the previously released BIOS updates and wait for the updated version.

If you have already deployed a BIOS update that could have issues according to Intel's January 22nd advisory, in order to avoid unpredictable system behavior, you can revert back to a previous BIOS version. See the tables below.

As a reminder, the Operating System patches are not impacted and still provide mitigation to Spectre (Variant 1) and Meltdown (Variant 3). The microcode update is only required for Spectre (Variant 2), CVE-2017-5715.

There are two essential components that need to be applied to mitigate the above mentioned vulnerabilities:

  1. System BIOS as per Tables below
  2. Operating System & Hypervisor updates.
We encourage customers to review the appropriate Hypervisor/OS vendor security advisory. The References section below contains links to some of these vendors.

Dell EMC recommends customers to follow security best practices for malware protection in general to protect against possible exploitation of these analysis methods until any future updates can be applied. These practices include promptly adopting software updates, avoiding unrecognized hyperlinks and websites, protecting access to privileged accounts, and following secure password protocols.


Dell Products requiring no patches or fixes for these three CVE vulnerabilities

Dell Storage Product Line
Assessment
EqualLogic PS Series The CPU used in this product does not implement speculative execution, therefore the vulnerabilities do not apply to this hardware.
Dell EMC SC Series (Compellent) Access to the platform OS to load external code is restricted; malicious code cannot be run.
Dell Storage MD3 and DSMS MD3 Series Access to the platform OS to load external code is restricted; malicious code cannot be run.
Dell PowerVault Tape Drives & Libraries Access to the platform OS to load external code is restricted; malicious code cannot be run.
Dell Storage FluidFS Series (includes: FS8600, FS7600, FS7610, FS7500, NX3600, NX3610, NX3500) Access to the platform OS to load external code is restricted to privileged accounts only.
Malicious code cannot be run, provided the recommended best practices to protect the access of privileged accounts are followed.
Dell Storage Virtual Appliance
Assessment
Dell Storage Manager Virtual Appliance (DSM VA - Compellent) These virtual appliances do not provide general user access.
They are single-user, root-user-only, and therefore do not introduce any additional security risk to an environment.
The host system and hypervisor must be protected; see vendor links and best practices statement, above.
Dell Storage Integration tools for VMWare (Compellent)
Dell EqualLogic Virtual Storage Manager (VSM - EqualLogic)

Systems Management for PowerEdge Server Products
Component
Assessment
iDRAC: 14G, 13G, 12G, 11G
Not impacted.
iDRAC is a closed system that does not allow external 3rd party code to be executed.
Chassis Management Controller (CMC): 14G, 13G, 12G, 11G
Not impacted.
CMC is a closed system that does not allow external 3rd party code to be executed.

Note: The tables below list products for which there is available BIOS guidance. This information will be updated as additional information is available. If you do not see your platform, please check later.

The BIOS can be updated using the iDRAC or directly from the Operating System. Additional methods are provided in this article.

*** For impacted systems, Intel will be providing new microcode updates to Dell and we will be releasing BIOS updates as they are available.

For customers who need to revert to a previous BIOS version, refer to the updates in the Tables below.

BIOS updates for PowerEdge Server Products

Generation Models BIOS version
14G R740, R740XD, R640, R940 XC740XD, XC640 1.3.7
R540, R440, T440 1.3.7
T640 1.3.7
C6420 1.3.7
FC640, M640, M640P 1.3.7
C4140 1.1.6
R6415, R7415 1.0.9
R7425 1.0.9

Generation Models BIOS version
Previous BIOS version
(recommended)
13G R830 1.7.0*** 1.6.0
T130, R230, T330, R330, NX430 2.4.3
R930 2.5.0*** 2.4.3
R730, R730XD, R630, NX3330, NX3230, DSMS630, DSMS730, XC730, XC703XD, XC630 2.7.0*** 2.6.0
C4130 2.7.0*** 2.6.0
M630, M630P, FC630 2.7.0*** 2.6.0
FC430 2.7.0*** 2.6.0
M830, M830P, FC830 2.7.0*** 2.6.0
T630 2.7.0*** 2.6.0
R530, R430, T430, XC430, XC430Xpress 2.7.0*** 2.6.0
C6320, XC6320 2.7.0*** 2.6.0
C6320P 2.0.5
T30 1.0.12
Generation Models BIOS version
Previous BIOS version
(recommended)
12G R920 In process
R820 In process
R520 In process
R420 In process
R320 In process
T420 In process
T320, NX400 In process
R220 1.10.1*** 1.9.1
R720, R720XD, NX3200 In process
R620, NX3300 In process
M820 In process
M620 In process
M520 In process
M420 In process
T620 In process
FM120x4 In process
T20 A15*** A14
C6220 In process
C6220II In process
C8220 In process
C8220X In process

Generation Models BIOS version
11G R710, NX3000 In process
R610 In process
T610 In process
R510, NX3100 In process
R410, NX300 In process
T410 In process
R310 In process
T310, NX200 In process
T110 In process
T110-II In process
R210 In process
R210-II In process
R810 In process
R910 In process
T710 In process
M610, M610X In process
N710, M710HD In process
M910 In process

BIOS update for Dell Datacenter Scalable Solutions (DSS)

Models BIOS version Previous BIOS version
(recommended)
DSS9600, DSS9620, DSS9630 1.3.7
DSS1500, DSS1510, DSS2500 2.7.0*** 2.5.5
DSS7500 2.7.0*** 2.5.4

Updates on other Dell products

External references

OS Patch Guidance


Performance Links

Frequently Asked Questions (FAQ)


Question: How can I protect against these vulnerabilities?
Answer: There are three vulnerabilities associated with Meltdown and Spectre. Customers must deploy an OS patch from their OS vendor for all 3 vulnerabilities. Only Spectre Variant 2 (CVE-2017-5715) requires a BIOS update with the processor vendor provided microcode. At this time, Intel does not yet have a microcode update available to protect against the Spectre Variant 2 vulnerability.

See table below:

Variant to Patch

Microcode Update Needed?

OS Patch Needed?

Spectre (Variant 1)
CVE-2017-5753

No

Yes

Spectre (Variant 2)
CVE-2017-5715

Yes

Yes

Meltdown (Variant 3)
CVE-2017-5754

No

Yes


Question: What is the Dell EMC current recommendation regarding updating the OS patches?
Answer: Please refer to your OS vendor’s patch guidance links.

Question: Does Dell EMC have a list of Enterprise products that are not affected?
Answer: Dell EMC has a list of Enterprise products that are not currently affected - look here.

Question: What do I do if I run a virtual server?
Answer: Both the hypervisor and all guest OS’ need to be patched.

Question: Are internet browsers potentially affected? (JavaScript Variant 2 exploit)?
Answer: Yes internet browsers can be affected by the Spectre vulnerability and most browsers have provided updated versions or patches to mitigate this potential vulnerability. See links below for Chrome, Internet Explorer, & Mozilla for additional information.

Question: What about iDRAC and PERC?
Answer: Both the PERC and iDRAC are closed systems that do not allow 3rd party (user) code to run. Spectre and Meltdown both require the ability to run arbitrary code on the processor. Due to this closed code arrangement neither peripheral is at risk of a side-channel analysis microprocessor exploit.

Question: What about appliances? Are there other applications that aren't affected?
Answer: Closed systems that do not allow 3rd party (user) code to run are not vulnerable.

Question: What about the AMD Opteron processors?
Answer: https://www.amd.com/en/corporate/speculative-execution.
Question: When will the BIOS with microcode updates available from Dell EMC for Intel based systems?
Answer: Updated BIOSes that contain the Intel microcode security updates are available for the PowerEdge 14G systems, T30, C6320p, T130, R230, T330, and R330. Dell EMC currently has no BIOSes which contain Intel microcode security updates the 11G, 12G or the remaining 13G systems.
  • Please refer to the available PowerEdge 14G list of BIOS updates here.
  • Dell EMC is working with Intel for the required microcode updates to develop the remaining 13G BIOSes that provide mitigation for Spectre Variant 2 and addresses Intel’s public statement of known reboot issues. We will update with more information on timing once available.
  • 11G & 12G updates are also currently under development, and timing will be confirmed closer to the time.
  • A complete listing of available BIOS updates for PowerEdge systems will be made available here. This list is continuously updated as additional BIOS versions become available and we encourage customers to bookmark the page.

Question: When will BIOS be available for converged infrastructure running on PowerEdge technology (VXRail, etc.)
Answer: Dell EMC is working to validate existing PowerEdge code updates for all converged infrastructure platforms running on PowerEdge technology. Updates will be provided as additional information is available.

Question: Will Dell EMC be factory installing the operating system and hypervisor patches for PowerEdge Servers and converged infrastructure?
Answer: Dell EMC is currently working to evaluate operating system and hypervisor patches for the 13G & 14G PowerEdge and converged infrastructure platforms that are affected by these vulnerabilities. These updates would become available as part of the normal factory update cycle.

Question: I've heard that the vulnerability affects microprocessors going back at least 10 years. How far back is Dell offering a BIOS update?
Answer: Dell is working with Intel to provide the required BIOS with microcode patches for PowerEdge systems going back to our 11th generation product line. Any BIOS updates that contain microcode updates for the security fix will be dependent upon the affected processor vendors providing code updates to Dell EMC.

Question: Will Dell EMC provide technical support for systems that are out of warranty?
Answer: Dell EMC does not provide technical support for Dell EMC PowerEdge servers that do not have a valid support contract. Customers can access publically available support documents on support.dell.com regardless of current support contract status.

Question: Will Dell EMC provide patches for systems that are out of warranty?
Answer: Dell EMC PowerEdge server products do not require a valid support contract in order to gain access to our support and downloads pages. PowerEdge server BIOS updates will be available on the Dell EMC support site to all users regardless of current support contract status. Refer to the BIOS section here for BIOS availability. OS patches should be obtained from your OS provider - links are here.

Question: What about the new AMD EPYC processors?
Answer: For AMD public statements on Meltdown (CVE-2017-5754) Spectre Variant 1 (CVE-2017-5753) and Spectre Variant 2 (CVE-2017-5715) as they relate to AMD processors, see https://www.amd.com/en/corporate/speculative-execution.
For Spectre Variant 1 (CVE-2017-5753) the applicable OS patch will address this issue.

Question: When will BIOS updates be available for AMD EYPC based PowerEdge systems that are affected by Spectre?
Answer: Dell EMC has released BIOS updates for our 14G platforms (R7425, R7415, & R6415) which are available on our product support pages. Factory install of these BIOS were available on January 17, 2018.
Question: Is there a performance impact from these BIOS and OS updates?
Answer: The key aspect of these attacks relies on speculative execution which is a performance-related feature. Performance impacts will vary since they are highly workload dependent. Dell is working with Intel and other vendors to determine performance impacts as a result of these updates and will address this once available.



Need more help?
Find additional PowerEdge and PowerVault articles

Visit and ask for support in our Communities

Create an online support Request



Artikel-ID: SLN308588

Datum der letzten Änderung: 02/20/2018 07:45 AM


Diesen Artikel bewerten

Präzise
Nützlich
Leicht verständlich
War dieser Artikel hilfreich?
Ja Nein
Schicken Sie uns Ihr Feedback.
Die folgenden Sonderzeichen dürfen in Kommentaren nicht verwendet werden: <>()\
Derzeit ist kein Zugriff auf das Feedbacksystem möglich. Bitte versuchen Sie es später erneut.

Vielen Dank für Ihr Feedback.