Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)

Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking)


2018-08-17

CVE ID: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

Dell EMC is aware of the side-channel analysis vulnerabilities (also known as Meltdown and Spectre) affecting many modern microprocessors that were publicly described by a team of security researchers on January 3, 2018. We encourage customers to review the Security Advisories in the References section for more information.

Patch Guidance (update 2018-02-08):

Dell EMC has received new microcode from Intel per their advisory that was issued on January 22. Dell EMC is issuing new BIOS updates for the affected platforms to address Spectre (Variant 2), CVE-2017-5715. The Product Tables have been updated and will be updated as more microcode is released by Intel. If your product has an updated BIOS listed, Dell EMC recommends you upgrade to that BIOS and apply the appropriate OS patches to provide mitigation against Meltdown and Spectre.

If your product does not have an updated BIOS listed, Dell EMC still advises that customers should not deploy the previously released BIOS updates and wait for the updated version.

If you have already deployed a BIOS update that could have issues according to Intel's January 22nd advisory, in order to avoid unpredictable system behavior, you can revert back to a previous BIOS version. See the tables below.

As a reminder, the Operating System patches are not impacted and still provide mitigation to Spectre (Variant 1) and Meltdown (Variant 3). The microcode update is only required for Spectre (Variant 2), CVE-2017-5715.

There are two essential components that need to be applied to mitigate the above mentioned vulnerabilities:

  1. System BIOS as per Tables below
  2. Operating System & Hypervisor updates.
We encourage customers to review the appropriate Hypervisor/OS vendor security advisory. The References section below contains links to some of these vendors.

Dell EMC recommends customers to follow security best practices for malware protection in general to protect against possible exploitation of these analysis methods until any future updates can be applied. These practices include promptly adopting software updates, avoiding unrecognized hyperlinks and websites, protecting access to privileged accounts, and following secure password protocols.


Dell Products requiring no patches or fixes for these three CVE vulnerabilities


Dell Storage Product Line
Assessment
EqualLogic PS Series The CPU used in this product does not implement speculative execution, therefore the vulnerabilities do not apply to this hardware.
Dell EMC SC Series (Compellent) Access to the platform OS to load external code is restricted; malicious code cannot be run.
Dell Storage MD3 and DSMS MD3 Series Access to the platform OS to load external code is restricted; malicious code cannot be run.
Dell PowerVault Tape Drives & Libraries Access to the platform OS to load external code is restricted; malicious code cannot be run.
Dell Storage FluidFS Series (includes: FS8600, FS7600, FS7610, FS7500, NX3600, NX3610, NX3500) Access to the platform OS to load external code is restricted to privileged accounts only.
Malicious code cannot be run, provided the recommended best practices to protect the access of privileged accounts are followed.
Dell Storage Virtual Appliance
Assessment
Dell Storage Manager Virtual Appliance (DSM VA - Compellent) These virtual appliances do not provide general user access.
They are single-user, root-user-only, and therefore do not introduce any additional security risk to an environment.
The host system and hypervisor must be protected; see vendor links and best practices statement, above.
Dell Storage Integration tools for VMWare (Compellent)
Dell EqualLogic Virtual Storage Manager (VSM - EqualLogic)

Systems Management for PowerEdge Server Products
Component
Assessment
iDRAC: 14G, 13G, 12G, 11G
Not impacted.
iDRAC is a closed system that does not allow external 3rd party code to be executed.
Chassis Management Controller (CMC): 14G, 13G, 12G, 11G
Not impacted.
CMC is a closed system that does not allow external 3rd party code to be executed.
Platforms Assessment
Dell 10Gb Ethernet Pass-Through
These products are a single-user, root-user-only appliance. The reported issues do not introduce any additional security risk to a customer's environment, provided the recommended best practices to protect the access of highly privileged accounts are followed.
Dell 10Gb-K Ethernet Pass-Through
Dell Ethernet Pass-Through
FC8 Pass-Through
Force10 MXL Blade
PowerConnect M6220
PowerConnect M6348
PowerConnect M8024
PowerConnect M8024-K
Platforms Assessment
Brocade M5424, M6505, M8428-k Vendor Statement
Cisco Catalyst 3032, 3130, 3130G, 3130X Vendor Statement
Cisco Catalyst Nexus B22 Dell Blade Fabric Extender Vendor Statement
Mellanox M2401G, M361Q, M4001F Fi Vendor Statement
Platforms Assessment
C1048P, C9010

These products are a single-user, root-user-only appliance. The reported issues do not introduce any additional security risk to a customer's environment, provided the recommended best practices to protect the access of highly privileged accounts are followed.
M I/O Aggregator
MXL
FX2
N11xx, N15xx, N20xx, N30xx,
N2128PX, N3128PX
Navasota
S55, S60
S3048-On OS9, S3048-on OS10 Enterprise, S3100, S3124F, S3124P, S3148P
S4048, S4048-ON OS9, S4048-ON OS10 Enterprise, S4048T-ON OS9, S4048T-ON OS10 Enterprise
S4128F-ON, S4148F-ON, S4128T-ON, S4148T-ON, S4148U-ON, S4148FE-ON, S4148FB, S4248FBL
S5048, S5048F-ON, S5148F
S6000, S6000-ON OS9, S6010-ON OS9, S6010-ON OS10 Enterprise, S6100-ON
SIOM
Z9000, Z9100 OS9, Z9100 OS10 Enterprise
Platforms Assessment
PowerConnect 2016, 2124, 2216, 2224, 2324, 2508, 2608 2616, 2624

These products are a single-user, root-user-only appliance. The reported issues do not introduce any additional security risk to a customer's environment, provided the recommended best practices to protect the access of highly privileged accounts are followed.
PowerConnect 2708, 2716, 2724, 2748, 2808, 2816, 2824, 2848
PowerConnect 3024, 3048, 3248, 3324, 3348
PowerConnect 3424, 3424P, 3448, 3448P, 3524, 3524P, 3548, 3548P
PowerConnect 5012, 5212, 5224, 5316M, 5324, 5424, 5448, 5524, 5524P, 5548, 5548P
PowerConnect 6024, 6024F, 6224, 6224F, 6224P, 6248, 6248P
PowerConnect 7024, 7024F, 7024P, 7048, 7048P, 7048R
PowerConnect 8024, 8024F, 8100 Series
PowerConnect B-8000, B-8000e, B-FCXs, B-T124X
PowerConnect J-EX4200, J-EX4200-24F, J-EX4200-24t, J-EX4200-48t, J-EX4500
PowerConnect J-SRX100, J-SRX210, SRX240
C9000 Series Line Cards
Platforms Assessment
Brocade 300, 4424 Switch Fi, 5100, 5300 Vendor Statement
Brocade 6505, 6510, 6520, G620 Vendor Statement
Cisco Catalyst 3750E-48TD, 4900M, 4948-10GE Vendor Statement
Platforms Assessment
Active Fabric Controller Software Unaffected
Active Fabric Manager Software Unaffected
Dell Networking vCenter Plug-in Software Unaffected
Dell OpenManage Network Manager Software Unaffected
HiveManager NG No Mitigation Needed; Vendor Statement
Open Automation Software Unaffected
Software Defined Networking Software Unaffected



Note: The tables below list products for which there is available BIOS/Firmware/Driver guidance. This information will be updated as additional information is available. If you do not see your platform, please check later.

The Server BIOS can be updated using the iDRAC or directly from the Operating System. Additional methods are provided in this article.

These are the minimum required BIOS versions.

BIOS/Firmware/Driver updates for PowerEdge Server and Networking Products


Generation Models BIOS version
14G R740, R740XD, R640, R940 XC740XD, XC640 1.3.7
R540, R440, T440, XR2 1.3.7
T640 1.3.7
C6420 1.3.7
FC640, M640, M640P 1.3.7
C4140 1.1.6
R6415, R7415 1.0.9
R7425 1.0.9
Generation Models BIOS version
13G R830 1.7.1
T130, R230, T330, R330, NX430 2.4.3
R930 2.5.1
R730, R730XD, R630, NX3330, NX3230, DSMS630, DSMS730, XC730, XC703XD, XC630 2.7.1
C4130 2.7.1
M630, M630P, FC630 2.7.1
FC430 2.7.1
M830, M830P, FC830 2.7.1
T630 2.7.1
R530, R430, T430, XC430, XC430Xpress 2.7.1
R530XD 1.7.0
C6320, XC6320 2.7.1
C6320P 2.0.5
T30 1.0.12
Generation Models BIOS version
12G R920 1.7.1
R820 2.4.1
R520 2.5.1
R420 2.5.1
R320, NX400 2.5.1
T420 2.5.1
T320 2.5.1
R220 1.10.2
R720, R720XD, NX3200, XC720XD 2.6.1
R620, NX3300 2.6.1
M820 2.6.1
M620 2.6.1
M520 2.6.1
M420 2.6.1
T620 2.6.1
FM120x4 1.7.0
T20 A16
C5230 1.3.1
C6220 2.5.5
C6220II 2.8.1
C8220, C8220X 2.8.1
Generation Models BIOS version
11G R710 6.5.0
NX3000 In Process
R610 6.5.0
T610 6.5.0
R510 1.13.0
NX3100 In Process
R410 1.13.0
NX300 In Process
T410 1.13.0
R310 1.13.0
T310 1.13.0
NX200 In Process
T110 1.11.1
T110-II 2.9.0
R210 1.11.0
R210-II 2.9.0
R810 2.10.0
R910 2.11.0
T710 6.5.0
M610, M610X 6.5.0
M710 6.5.0
M710HD 8.3.1
M910 2.11.0
C1100 3B24
C2100 3B24
C5220 2.2.0
C6100 1.80
R415 2.4.1
R515 2.4.1
R715 3.4.1
R815 3.4.1
M915 3.3.1
C6105 2.6.0
C6145 3.6.0
Models BIOS version
DSS9600, DSS9620, DSS9630 1.3.7
DSS1500, DSS1510, DSS2500 2.7.1
DSS7500 2.7.1
Models BIOS/Firmware/Driver version
OS10 Basic VM In process
OS10 Enterprise VM In process
S OS-Emulator In process
Z OS-Emulator In process
S3048-ON OS10 Basic In process
S4048-ON OS10 Basic In process
S4048T-ON OS10 Basic In process
S6000-ON OS Basic In process
S6010-ON OS10 Basic In process
Z9100 OS10 Basic In process
Networking - Fixed Port Switches
Platforms BIOS/FIrmware/Driver version
Mellanox SB7800 Series, SX6000 Series Mellanox is carefully investigating the released patches, and will release software updates as soon as available. Vendor Statement
Models BIOS/Firmware/Driver version
W-3200, W-3400, W-3600, W-6000, W-620, W-650, W-651 Link - requires login
W-7005, W-7008, W-7010, W-7024, W-7030, W-7200 Series, W-7205 Link - requires login
W-AP103, W-AP103H, W-AP105, W-AP114, W-AP115, W-AP124, W-AP125, W-AP134, W-AP135, W-AP175 Link - requires login
W-AP204, W-AP205, W-AP214, W-AP215, W-AP224, W-AP225, W-AP274, W-AP275 Link - requires login
W-AP68, W-AP92, W-AP93, W-AP93H Link - requires login
W-IAP103, W-IAP104, W-IAP105, W-IAP108, W-IAP109, W-IAP114, W-IAP115, W-IAP134, W-IAP135 Link - requires login
W-IAP155, W-IAP155P, W-IAP175P, W-IAP175AC, W-IAP204, W-IAP205, W-IAP214, W-IAP215 Link - requires login
W-IAP-224, W-IAP225, W-IAP274, W-IAP275, W-IAP3WN, W-IAP3P, W-IAP92, W-IAP93 Link - requires login
W-Series Access Points - 205H, 207, 228, 277, 304, 305, 314, 315, 324, 325, 334, 335 Link - requires login
W-Series Controller AOS Link - requires login
W-Series FIPS Link - requires login
Models BIOS/Firmware/Driver version
W-Airwave Link - requires login - Ensure Hypervisor has appropriate patches.
W-ClearPass Hardware Appliances Link - requires login
W-ClearPass Virtual Appliances Link - requires login - Ensure Hypervisor has appropriate patches.
W-ClearPass 100 Software Link - requires login


Updates on other Dell products

External references

OS Patch Guidance

Performance Links



Frequently Asked Questions (FAQ)


Question: How can I protect against these vulnerabilities?
Answer: There are three vulnerabilities associated with Meltdown and Spectre. Customers must deploy an OS patch from their OS vendor for all 3 vulnerabilities. Only Spectre Variant 2 (CVE-2017-5715) requires a BIOS update with the processor vendor provided microcode. At this time, Intel does not yet have a microcode update available to protect against the Spectre Variant 2 vulnerability.

See table below:

Variant to Patch

Microcode Update Needed?

OS Patch Needed?

Spectre (Variant 1)
CVE-2017-5753

No

Yes

Spectre (Variant 2)
CVE-2017-5715

Yes

Yes

Meltdown (Variant 3)
CVE-2017-5754

No

Yes


Question: What is the Dell EMC current recommendation regarding updating the OS patches?
Answer: Please refer to your OS vendor’s patch guidance links.

Question: Does Dell EMC have a list of Enterprise products that are not affected?
Answer: Dell EMC has a list of Enterprise products that are not currently affected - look here.

Question: What do I do if I run a virtual server?
Answer: Both the hypervisor and all guest OS’ need to be patched.

Question: Are internet browsers potentially affected? (JavaScript Variant 2 exploit)?
Answer: Yes internet browsers can be affected by the Spectre vulnerability and most browsers have provided updated versions or patches to mitigate this potential vulnerability. See links below for Chrome, Internet Explorer, & Mozilla for additional information.

Question: What about iDRAC and PERC?
Answer: Both the PERC and iDRAC are closed systems that do not allow 3rd party (user) code to run. Spectre and Meltdown both require the ability to run arbitrary code on the processor. Due to this closed code arrangement neither peripheral is at risk of a side-channel analysis microprocessor exploit.

Question: What about appliances? Are there other applications that aren't affected?
Answer: Closed systems that do not allow 3rd party (user) code to run are not vulnerable.

Question: What about the AMD Opteron processors?
Answer: https://www.amd.com/en/corporate/speculative-execution.
Question: When will the BIOS with microcode updates available from Dell EMC for Intel based systems?
Answer: Updated BIOSes that contain the Intel microcode security updates are available for PowerEdge 14G, 13G, 12G, some of the 11G systems.
  • Please refer to the available PowerEdge 11G, 12G, 13G and 14G list of BIOS updates here.
  • The remaining 11G updates are currently under development, and timing will be confirmed closer to the time.
  • A complete listing of available BIOS updates for PowerEdge systems will be made available here. This list is continuously updated as additional BIOS versions become available and we encourage customers to bookmark the page.

Question: When will BIOS be available for converged infrastructure running on PowerEdge technology (VXRail, etc.)
Answer: Dell EMC is working to validate existing PowerEdge code updates for all converged infrastructure platforms running on PowerEdge technology. Updates will be provided as additional information is available.

Question: Will Dell EMC be factory installing the operating system and hypervisor patches for PowerEdge Servers and converged infrastructure?
Answer: As of March 6, 2018, Dell is factory installing the following versions of OS updates to help mitigate the Spectre/Meltdown vulnerabilities. These are configured (where possible) for maximum protection (fully enabled). In some cases, there are newer updates provided by the vendors. Please continue to refer to the OS vendor websites for specific configuration guidance and newer updates and configuration options as they become available.
  • Windows Server 2016: KB4056890 (Released Jan 4, 2018)
  • RedHat Enterprise Linux 7.4 : kernel-3.10.0-693.11.6.el7.x86_64 (Released Jan 4, 2018)
  • SuSE Linux Enterprise Server 12 SP3: kernel-default-4.4.103-6.38.1.x86_64 (Released Jan 4, 2018)
  • VMware ESXi 6.5U1: Rev A08 Build 7388607 (contains VMSA-2018-002 patch)
  • VMWare ESXi 6.0U3: Rev A08 Build 6921384 (contains VMSA-2018-002 patch)

Question: I've heard that the vulnerability affects microprocessors going back at least 10 years. How far back is Dell offering a BIOS update?
Answer: Dell is working with Intel to provide the required BIOS with microcode patches for PowerEdge systems going back to our 11th generation product line. Any BIOS updates that contain microcode updates for the security fix will be dependent upon the affected processor vendors providing code updates to Dell EMC.

Question: Will Dell EMC provide technical support for systems that are out of warranty?
Answer: Dell EMC does not provide technical support for Dell EMC PowerEdge servers that do not have a valid support contract. Customers can access publically available support documents on support.dell.com regardless of current support contract status.

Question: Will Dell EMC provide patches for systems that are out of warranty?
Answer: Dell EMC PowerEdge server products do not require a valid support contract in order to gain access to our support and downloads pages. PowerEdge server BIOS updates will be available on the Dell EMC support site to all users regardless of current support contract status. Refer to the BIOS section here for BIOS availability. OS patches should be obtained from your OS provider - links are here.

Question: What about the new AMD EPYC processors?
Answer: For AMD public statements on Meltdown (CVE-2017-5754) Spectre Variant 1 (CVE-2017-5753) and Spectre Variant 2 (CVE-2017-5715) as they relate to AMD processors, see https://www.amd.com/en/corporate/speculative-execution.
For Spectre Variant 1 (CVE-2017-5753) the applicable OS patch will address this issue.

Question: When will BIOS updates be available for AMD EYPC based PowerEdge systems that are affected by Spectre?
Answer: Dell EMC has released BIOS updates for our 14G platforms (R7425, R7415, & R6415) which are available on our product support pages. Factory install of these BIOS were available on January 17, 2018.

Question: When will the BIOS with Intel microcode updates be factory installed on the Intel based PowerEdge systems?
Answer: PowerEdge 14G and 13G (except R930) BIOS is targeted to be available via factory install on March 6, 2018. PowerEdge R930 BIOS is targeted to be available via factory install by March 9, 2018.
Question: Is there a performance impact from these BIOS and OS updates?
Answer: The key aspect of these attacks relies on speculative execution which is a performance-related feature. Performance impacts will vary since they are highly workload dependent. Dell is working with Intel and other vendors to determine performance impacts as a result of these updates and will address this once available.



Need more help?
Find additional PowerEdge and PowerVault articles

Visit and ask for support in our Communities

Create an online support Request



Article ID: SLN308588

Last Date Modified: 09/14/2018 10:14 AM


Rate this article

Accurate
Useful
Easy to understand
Was this article helpful?
Yes No
Send us feedback
Comments cannot contain these special characters: <>()\
Sorry, our feedback system is currently down. Please try again later.

Thank you for your feedback.