Unsolved
This post is more than 5 years old
4 Posts
1
11156
Dell & latest CPU microcode to address CVE-2017-5715
Hi,
I have a Dell Optiplex 9010.
Dell lists new BIOS firmware available to address CVE-2017-5715 aka 'Spectre Variant 2'.
http://www.dell.com/support/article/us/en/19/sln308587/microprocessor-side-channel-vulnerabilities-cve-2017-5715-cve-2017-5753-cve-2017-5754-impact-on-dell-products?lang=en
Here is the BIOS update:
http://www.dell.com/support/home/us/en/04/Drivers/DriversDetails?driverId=CR67Y
Which states:
- Update to the latest CPU microcode to address CVE-2017-5715.
Intel released new microcode here: https://downloadcenter.intel.com/download/27431/Linux-Processor-Microcode-Data-File
As documented on this site: https://www.bleepingcomputer.com/news/security/intel-releases-linux-cpu-microcodes-to-fix-meltdown-and-spectre-bugs/
According to the release notes for the Intel download only these processor families have new microcode
IVT C0 (06-3e-04:ed) 428->42a
SKL-U/Y D0 (06-4e-03:c0) ba->c2
BDW-U/Y E/F (06-3d-04:c0) 25->28
HSW-ULT Cx/Dx (06-45-01:72) 20->21
Crystalwell Cx (06-46-01:32) 17->18
BDW-H E/G (06-47-01:22) 17->1b
HSX-EX E0 (06-3f-04:80) 0f->10
SKL-H/S R0 (06-5e-03:36) ba->c2
HSW Cx/Dx (06-3c-03:32) 22->23
HSX C0 (06-3f-02:6f) 3a->3b
BDX-DE V0/V1 (06-56-02:10) 0f->14
BDX-DE V2 (06-56-03:10) 700000d->7000011
KBL-U/Y H0 (06-8e-09:c0) 62->80
KBL Y0 / CFL D0 (06-8e-0a:c0) 70->80
KBL-H/S B0 (06-9e-09:2a) 5e->80
CFL U0 (06-9e-0a:22) 70->80
CFL B0 (06-9e-0b:02) 72->80
SKX H0 (06-55-04:b7) 2000035->200003c
GLK B0 (06-7a-01:01) 1e->22
So my processor is this:
Intel(R) Core(TM) i5-3550 CPU @ 3.30GHz
Which CPU World http://www.cpu-world.com/cgi-bin/CPUID.pl lists as:
Family: 6 (06h)
Model: 58 (03Ah)
Stepping: 9 (09h)
So would match the microcode for 06-3a-09 which is indeed in the Intel microcode available in microcode-20180108.tgz.
But it's not in the list that the release notes has:
cat releasenote | grep -i 06-3a-09
So it looks like Dell is releasing new BIOS updates that supply the latest microcode, and possibly labeling the download as fixing CVE-2017-5715 just because it's in the bundle, and not because it's been updated?
Can anyone validate if this is actually correct? Or was this possibly a mixup just for this Dell desktop?
When I test with spectre-meltdown-checker from: https://github.com/speed47/spectre-meltdown-checker
It shows:
* Hardware (CPU microcode) support for mitigation: NO
The part of the script that does that check fails here:
dd if=/dev/cpu/0/msr of=/dev/null bs=8 count=1 skip=9
dd: error reading '/dev/cpu/0/msr': Input/output error
Which seems (to me) to indicate that the microcode to mitigate Spectre really isn't present.
Thanks,
Peter
JoshSleeper
2 Posts
0
January 15th, 2018 08:00
Update 3: This is being looked into for the E7250 and I linked this thread and asked Dell to look into the Optiplex 9010 as well.
Confirmation from Dell: https://twitter.com/joshua_sleeper/status/953046467123453952
Update 2: This is getting old already... The BIOS update DID apply correctly, it's just that Dell Command Update didn't say it did. DxDiag, System Information, and CPU-Z all show that the A18 BIOS is indeed in place.
Which goes back to the first issue unfortunately: the A18 BIOS really isn't showing in tests that it actually enables support for the Spectre Variant 2 mitigation.
Update: Actually, for better or worse, I was wrong. It looks like, despite the update being seemingly successful, it didn't actually apply. Tried again to the same result.So at least for me, the issue is the BIOS update failing to apply. I guess that's better, technically?I getting the same result on my Dell E7250 laptop.
Latest BIOS installer (A18) doesn't actually seem to enable the mitigation for CVE-2017-5715 (Spectre Variant 2), despite clearly stating that it does.
Dell, this is either a pretty unfortunate mixup or a terrible lie. Get it fixed please!
Quick link to my Spectre-less BIOS: https://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=JC6JJ
Simbol
5 Posts
0
January 16th, 2018 06:00
We have the same problem with the Optiplex 7010, BIOS A26 don't enable any Microcode:
We have hundreds of these PCs across our organisation.
AnguelS
1 Rookie
1 Rookie
•
29 Posts
0
January 16th, 2018 06:00
I had a very similar problem that was caused by a GPO setting blocking the Windows update and therefore the test script completely failed. Details on my blog:
https://techie-blog.blogspot.de/2018/01/gpo-blocks-windows-meltdown-spectre-update-kb4056892.html
Anguel
Simbol
5 Posts
1
January 16th, 2018 07:00
AngueIS,
Thanks for you help, if you see my screenshot you will notice the MS patches are actually installed but the "BitHarware support" is missing.
This indicates the BIOS is not delivering the required Microcode.
Best Regards
AnguelS
1 Rookie
1 Rookie
•
29 Posts
1
January 17th, 2018 02:00
Oh, now I see, sorry for the confusion. But I hope that my post is still helpful for people like me who wondered why everything was still red in powershell while the Dell BIOS update was working fine.
DELL-Justin C
4 Operator
4 Operator
•
783 Posts
0
January 17th, 2018 16:00
@Community,
Regarding the 7010 and 9010: SLN308587 has been updated in order to reflect that Dell is still working on implementing new firmware for these models.
Regarding the E7250:
Keep in Mind: You have to have both the firmware and the Windows update in order for the fix to be enabled.
Make sure you have the below registry key obtained through Windows updates:
https://www.catalog.update.microsoft.com/Search.aspx?q=KB4056894
Here's a pic from my E7250 that is showing enabled:
AnguelS
1 Rookie
1 Rookie
•
29 Posts
1
January 18th, 2018 05:00
Hmm, the KB you refer to seems to apply to Win7 only, for Win 10 1709 it will be KB4056892 for example.
Also AFAIK the registry key is not set by the update but it should be set by your Antivirus if it is compatible with the Windows security update.
Correct me if I'm wrong.
Anguel
JoshSleeper
2 Posts
1
January 18th, 2018 09:00
Justin C,
Thanks a bundle for the detailed response.
To be clear, I'm well aware that I won't have the actual mitigations in place until I get the OS updates.
That said, prior to receiving those updates I should be able to update my BIOS to one that includes the BTI mitigation microcode and at least see that I support the hardware mitigation for Spectre Variant 2.
My concern was that that the updated BIOS that claimed to provided that microcode update didn't, but I think it's some bug with Microsoft's own Powershell script now.
Steve Gibson's InSpectre vuln check tool (https://www.grc.com/inspectre.htm) detects that the microcode support for the mitigation is indeed in place and that I'm only missing the software support, so I'm happy to call it a tool error at this point.
Thanks again for the detailed response!
DELL-Justin C
4 Operator
4 Operator
•
783 Posts
1
January 19th, 2018 17:00
@AnguelS,
You're right...I was supposed to mention that in my post and accidentally left it out.
-For WIN7 you need an AV to enable the key
-For WIN10 you don't need AV to enable the key since Windows Defender qualifies as an AV in WIN10
@JoshSleeper,
I appreciate you bringing this up as an effort of due-diligence. Good call.
By the way, I'm the same person that worked with you @DellCaresPro Twitter account with call sign ^JKC.
Smythius
25 Posts
0
February 14th, 2018 05:00
I have an Alienware 15R2 running Windows 7. The system runs fine for the most part but my USB only transfers at USB 1.0. I was informed Windows 7 doesn't support USB 3.0, even though hardware wise that is all that the laptop has, so that it defaults to the primitive USB 1.0 drivers. I was curious if anyone knows if this 1.4.4 BIOS update addresses any USB functionality at all or if anyone knows how I might be able to get my Laptop to transfer at least USB 2.0 speed? using the DELL diagnostics It says it is capable of running at speeds of 2.0 but is currently running at 1.0 and gives that test a PASS. A system that should be capable of 3.0 speeds running at 1.0 is a FAIL in my book, especially when even the diagnostics say it should be capable of running USB 2.0 yet Dell has never replied to any of my requests for support, even when the laptop was still under warranty. Dell support has blown me off and I have spent hours upon hours on hold and taking time off work to be available when Dell support said they would contact me for further assistance to which they never did. I would update my BIOS to 1.4.4 but usually only experience issues when getting updates from DELL and looking over forum reviews I see only bad things about the new update that it is causing all sorts of compatibility issues. It seems they were mostly limited to systems running Windows 10 so I was hoping someone here might have more information for me. Thank you in advance for any assistance anyone can provide since DELL sure has not.
Smythius
25 Posts
0
February 14th, 2018 05:00
Can someone please PM me. I have tried to reply to this post but each time is says success and when I click view post there is nothing there and it still shows only 9 replies. It is a very lengthy reply and I am getting frustrated after having re-typed it three times now and it still not showing up even though I get a notification I moved up to bronze and copper, yet the post disappears and is nowhere to be found.
___________________________________________________________________________________________
EDIT: Finally got it to post below but then it vanishes when I click refresh. I'm not sure why, but the site keeps deleting the reply that I really need posted. I have attempted multiple times and each time it's removed after saying "success"
I figured out why. because the post said "DELL has the worst customer service I have ever dealt with" some sort of automated system keeps removing my post! I have since removed that portion from the below post!
I'm hoping Justin, or maybe another DELL expert reads my post and can message me as this site is not functioning properly.