Treceți la conținutul principal

Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell Technologies Servers, Storage, and Networking

Summary: Dell Technologies guidance to mitigate risk and resolution for the side-channel analysis vulnerabilities (also known as Meltdown and Spectre) for servers, storage, and networking products. For specific information about affected platforms and next steps to apply the updates, see this guide. ...

Acest articol se aplică pentru   Acest articol nu se aplică pentru 

Symptoms

2018-11-21

CVE ID: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

Dell Technologies is aware of the side-channel analysis vulnerabilities (also known as Meltdown and Spectre) affecting many modern microprocessors that were publicly described by a team of security researchers on January 3, 2018. We encourage customers to review the Security Advisories in the References section for more information.

NOTE: Patch Guidance (update 2018-02-08):

Dell Technologies has received a new microcode from Intel per their advisory that was issued on January 22. Dell Technologies is issuing new BIOS updates for the affected platforms to address Spectre (Variant 2), CVE-2017-5715. The Product Tables have been updated and will be updated as more microcode is released by Intel. If your product has an updated BIOS listed, Dell Technologies recommends you upgrade to that BIOS and apply the appropriate operating system updates to provide mitigation against Meltdown and Spectre.
 
If your product does not have an updated BIOS listed, Dell Technologies still advises that customers should not deploy the previously released BIOS updates and wait for the updated version.

If you have already deployed a BIOS update that could have issues according to Intel's January 22 advisory, in order to avoid unpredictable system behavior, you can revert back to a previous BIOS version. See the tables below.

As a reminder, the Operating System patches are not impacted and still provide mitigation to Spectre (Variant 1) and Meltdown (Variant 3). The microcode update is only required for Spectre (Variant 2), CVE-2017-5715.

  There are two essential components that must be applied to mitigate the above-mentioned vulnerabilities:

  1. System BIOS as per Tables below
  2. Operating System and Hypervisor updates.
We encourage customers to review the appropriate Hypervisor/OS vendor security advisory. The References section below contains links to some of these vendors.

Dell Technologies recommends customers to follow security best practices for malware protection in general to protect against possible exploitation of these analysis methods until any future updates can be applied. These practices include promptly adopting software updates, avoiding unrecognized hyperlinks and websites, protecting access to privileged accounts, and following secure password protocols.
 

Dell Products requiring no patches or fixes for these three CVE vulnerabilities


 
 
 
Dell Storage Product Line
Assessment
EqualLogic PS Series The CPU used in this product does not implement speculative execution, therefore the vulnerabilities do not apply to this hardware.
Dell EMC SC Series (Dell Compellent) Access to the platform operating system to load external code is restricted; malicious code cannot be run.
Dell Storage MD3 and DSMS MD3 Series Access to the platform operating system to load external code is restricted; malicious code cannot be run.
Dell PowerVault Tape Drives and Libraries Access to the platform operating system to load external code is restricted; malicious code cannot be run.
Dell Storage FluidFS Series (includes: FS8600, FS7600, FS7610, FS7500, NX3600, NX3610, NX3500) Access to the platform operating system to load external code is restricted to privileged accounts only.
Malicious code cannot be run, provided the recommended best practices to protect the access of privileged accounts are followed.
 
 
 
 
Dell Storage Virtual Appliance
Assessment
Dell Storage Manager Virtual Appliance (DSM VA - Dell Compellent) These virtual appliances do not provide general user access. 
They are single-user, root-user-only, and therefore do not introduce any additional security risk to an environment. 
The host system and hypervisor must be protected; see vendor links and best practices statement, above.
 
Dell Storage Integration tools for VMware (Dell Compellent)
Dell EqualLogic Virtual Storage Manager (VSM - EqualLogic)

Systems Management for PowerEdge Server Products
 
 
 
Component
Assessment
 iDRAC: 14G, 13G, 12G, 11G  
Not impacted.
iDRAC is a closed system that does not allow external third-party code to be performed.
 Chassis Management Controller (CMC): 14G, 13G, 12G, 11G  
Not impacted.
CMC is a closed system that does not allow external third-party code to be performed.
Platforms Assessment
 
Dell 10Gb Ethernet Pass-Through
These products are a single-user, root-user-only appliance. The reported issues do not introduce any additional security risk to a customer's environment, provided the recommended best practices to protect the access of highly privileged accounts are followed.
Dell 10Gb-K Ethernet Pass-Through
Dell Ethernet Pass-Through
FC8 Pass-Through
Force10 MXL Blade
PowerConnect M6220
PowerConnect M6348
PowerConnect M8024
PowerConnect M8024-K
Platforms Assessment
 
Brocade M5424, M6505, M8428-k Vendor Statement
Cisco Catalyst 3032, 3130, 3130G, 3130X Vendor Statement
Cisco Catalyst Nexus B22 Dell Blade Fabric Extender Vendor Statement
Platforms Assessment
 
C1048P, C9010

These products are a single-user, root-user-only appliance. The reported issues do not introduce any additional security risk to a customer's environment, provided the recommended best practices to protect the access of highly privileged accounts are followed.
M I/O Aggregator
MXL
FX2
N11xx, N15xx, N20xx, N30xx,
N2128PX, N3128PX
S55, S60
S3048-On OS9, S3048-on OS10 Enterprise, S3100, S3124F, S3124P, S3148P
S4048, S4048-ON OS9, S4048-ON OS10 Enterprise, S4048T-ON OS9, S4048T-ON OS10 Enterprise
S4128F-ON, S4148F-ON, S4128T-ON, S4148T-ON, S4148U-ON, S4148FE-ON, S4148FB, S4248FBL
S5048, S5048F-ON, S5148F
S6000, S6000-ON OS9, S6010-ON OS9, S6010-ON OS10 Enterprise, S6100-ON
SIOM
Z9000, Z9100 OS9, Z9100 OS10 Enterprise
Platforms Assessment
 
PowerConnect 2016, 2124, 2216, 2224, 2324, 2508, 2608 2616, 2624

These products are a single-user, root-user-only appliance. The reported issues do not introduce any additional security risk to a customer's environment, provided the recommended best practices to protect the access of highly privileged accounts are followed.
PowerConnect 2708, 2716, 2724, 2748, 2808, 2816, 2824, 2848
PowerConnect 3024, 3048, 3248, 3324, 3348
PowerConnect 3424, 3424P, 3448, 3448P, 3524, 3524P, 3548, 3548P
PowerConnect 5012, 5212, 5224, 5316M, 5324, 5424, 5448, 5524, 5524P, 5548, 5548P
PowerConnect 6024, 6024F, 6224, 6224F, 6224P, 6248, 6248P
PowerConnect 7024, 7024F, 7024P, 7048, 7048P, 7048R
PowerConnect 8024, 8024F, 8100 Series
PowerConnect B-8000, B-8000e, B-FCXs, B-T124X
PowerConnect J-EX4200, J-EX4200-24F, J-EX4200-24t, J-EX4200-48t, J-EX4500
PowerConnect J-SRX100, J-SRX210, SRX240
C9000 Series Line Cards
Platforms Assessment
 
Brocade 300, 4424 Switch Fi, 5100, 5300 Vendor Statement
Brocade 6505, 6510, 6520, G620 Vendor Statement
Cisco Catalyst 3750E-48TD, 4900M, 4948-10GE Vendor Statement
Platforms Assessment
 
Active Fabric Controller Software Unaffected
Active Fabric Manager Software Unaffected
Dell Networking vCenter Plug-in Software Unaffected
Dell OpenManage Network Manager Software Unaffected
Open Automation Software Unaffected
Software Defined Networking Software Unaffected
 
NOTE: The tables below list products for which there is available BIOS/Firmware/Driver guidance. This information is updated as additional information is available. If you do not see your platform, please check later.

The Server BIOS can be updated using the iDRAC, for more information see Dell Knowledge Base article How to update firmware remotely using the Integrated Dell Remote Access Controller (iDRAC) web interface or directly from the Operating System, or more information see Dell Knowledge Base article Update a Dell PowerEdge Driver or Firmware Directly from the OS (Windows and Linux).
For additional methods, see Dell Knowledge Base article Updating Firmware and Drivers on Dell PowerEdge Servers.

These are the minimum required BIOS versions.

BIOS/Firmware/Driver updates for PowerEdge Server and Networking Products


Generation Models BIOS version
14G R740, R740XD, R640, R940 XC740XD, XC640 1.3.7
R540, R440, T440, XR2 1.3.7
T640 1.3.7
C6420 1.3.7
FC640, M640, M640P 1.3.7
C4140 1.1.6
R6415, R7415 1.0.9
R7425 1.0.9
Generation Models BIOS version
13G R830 1.7.1
T130, R230, T330, R330, NX430 2.4.3
R930 2.5.1
R730, R730XD, R630, NX3330, NX3230, DSMS630, DSMS730, XC730, XC703XD, XC630 2.7.1
C4130 2.7.1
M630, M630P, FC630 2.7.1
FC430 2.7.1
M830, M830P, FC830 2.7.1
T630 2.7.1
R530, R430, T430, XC430, XC430Xpress 2.7.1
R530XD 1.7.0
C6320, XC6320 2.7.1
C6320P 2.0.5
T30 1.0.12
Generation Models BIOS version
12G R920 1.7.1
R820 2.4.1
R520 2.5.1
R420 2.5.1
R320, NX400 2.5.1
T420 2.5.1
T320 2.5.1
R220 1.10.2
R720, R720XD, NX3200, XC720XD 2.6.1
R620, NX3300 2.6.1
M820 2.6.1
M620 2.6.1
M520 2.6.1
M420 2.6.1
T620 2.6.1
FM120x4 1.7.0
T20 A16
C5230 1.3.1
C6220 2.5.5
C6220II 2.8.1
C8220, C8220X 2.8.1
Generation Models BIOS version
11G R710 6.5.0
NX3000 6.6.0***
R610 6.5.0
T610 6.5.0
R510 1.13.0
NX3100 1.14.0***
R410 1.13.0
NX300 1.14.0***
T410 1.13.0
R310 1.13.0
T310 1.13.0
NX200 1.14.0***
T110 1.11.1
T110-II 2.9.0
R210 1.11.0
R210-II 2.9.0
R810 2.10.0
R910 2.11.0
T710 6.5.0
M610, M610X 6.5.0
M710 6.5.0
M710HD 8.3.1
M910 2.11.0
C1100 3B24
C2100 3B24
C5220 2.2.0
C6100 1.80
R415 2.4.1
R515 2.4.1
R715 3.4.1
R815 3.4.1
M915 3.3.1
C6105 2.6.0
C6145 3.6.0
NOTE: ***Only update the BIOS using the Non-Packaged update on the 11G NX series platforms.
Models BIOS version
DSS9600, DSS9620, DSS9630 1.3.7
DSS1500, DSS1510, DSS2500 2.7.1
DSS7500 2.7.1
Models BIOS/Firmware/Driver version
OS10 Basic VM In the process
OS10 Enterprise VM In the process
S OS-Emulator In the process
Z OS-Emulator In the process
S3048-ON OS10 Basic In the process
S4048-ON OS10 Basic In the process
S4048T-ON OS10 Basic In the process
S6000-ON OS Basic In the process
S6010-ON OS10 Basic In the process
Z9100 OS10 Basic In the process
 
Networking - Fixed Port Switches
Platforms BIOS/FIrmware/Driver version
Mellanox SB7800 Series, SX6000 Series Mellanox is carefully investigating the released patches, and will release software updates when available. Vendor Statement
Models BIOS/Firmware/Driver version
W-3200, W-3400, W-3600, W-6000, W-620, W-650, W-651 Link - requires login.
W-7005, W-7008, W-7010, W-7024, W-7030, W-7200 Series, W-7205 Link - requires login.
W-AP103, W-AP103H, W-AP105, W-AP114, W-AP115, W-AP124, W-AP125, W-AP134, W-AP135, W-AP175 Link - requires login.
W-AP204, W-AP205, W-AP214, W-AP215, W-AP224, W-AP225, W-AP274, W-AP275 Link - requires login.
W-AP68, W-AP92, W-AP93, W-AP93H Link - requires login.
W-IAP103, W-IAP104, W-IAP105, W-IAP108, W-IAP109, W-IAP114, W-IAP115, W-IAP134, W-IAP135 Link - requires login.
W-IAP155, W-IAP155P, W-IAP175P, W-IAP175AC, W-IAP204, W-IAP205, W-IAP214, W-IAP215 Link - requires login.
W-IAP-224, W-IAP225, W-IAP274, W-IAP275, W-IAP3WN, W-IAP3P, W-IAP92, W-IAP93 Link - requires login.
W-Series Access Points - 205H, 207, 228, 277, 304, 305, 314, 315, 324, 325, 334, 335 Link - requires login.
W-Series Controller AOS Link - requires login.
W-Series FIPS Link - requires login.
Models BIOS/Firmware/Driver version
W-Airwave Link - requires login - Ensure that Hypervisor has appropriate patches.
W-ClearPass Hardware Appliances Link - requires login.
W-ClearPass Virtual Appliances Link - requires login - Ensure that Hypervisor has appropriate patches.
W-ClearPass 100 Software Link - requires login.

Updates on other Dell products

External references

Operating system Patch Guidance

Performance Links


Frequently Asked Questions (FAQ)

Question: How can I protect against these vulnerabilities?
Answer: There are three vulnerabilities associated with Meltdown and Spectre. Customers must deploy an operating system patch from their operating system vendor for all three vulnerabilities. Only Spectre Variant 2 (CVE-2017-5715) requires a BIOS update with the processor vendor-provided microcode. Currently, Intel does not yet have a microcode update available to protect against the Spectre Variant 2 vulnerability.

See table below:
 

Variant to Patch

Microcode Update Needed?

Operating system Patch Needed?

Spectre (Variant 1)
CVE-2017-5753

No

Yes

Spectre (Variant 2)
CVE-2017-5715

Yes

Yes

Meltdown (Variant 3)
CVE-2017-5754

No

Yes


Question: What is Dell Technologies' current recommendation regarding updating the operating system patches?
Answer: See the operating system vendor’s patch guidance links.

Question: Does Dell Technologies have a list of Enterprise products that are not affected?
Answer: Dell Technologies has a list of Enterprise products that are not affected. See the Dell Products requiring no patches or fixes for these three CVE vulnerabilities section.

Question: What do I do if I run a virtual server?
Answer: Both the hypervisor and all guest operating systems must be updated.

Question: Are Internet browsers potentially affected? (JavaScript Variant 2 exploit)?
Answer: Yes Internet browsers can be affected by the Spectre vulnerability and most browsers have provided updated versions or patches to mitigate this potential vulnerability. See links below for Chrome, Internet Explorer, and Mozilla for additional information.

Question: What about iDRAC and PERC?
Answer: Both the PERC and iDRAC are closed systems that do not allow third-party (user) code to run. Spectre and Meltdown both require the ability to run arbitrary code on the processor. Due to this closed code arrangement neither peripheral is at risk of a side-channel analysis microprocessor exploit.

Question: What about appliances? Are there other applications that are not affected?
Answer: Closed systems that do not allow third-party (user) code to run are not vulnerable.

Question: What about the AMD Opteron processors?
Answer: https://www.amd.com/en/corporate/speculative-execution.
Question: When will the BIOS with microcode updates available from Dell Technologies for Intel-based systems?
Answer: Updated BIOSes that contain the Intel microcode security updates are available for PowerEdge 14G, 13G, 12G, and some of the 11G systems.

Question: When will the BIOS be available for converged infrastructure running on PowerEdge technology (VXRail, so forth)
Answer: Dell Technologies is working to validate existing PowerEdge code updates for all converged infrastructure platforms running on PowerEdge technology. Updates are provided as additional information is available.

Question: Will Dell Technologies be factory installing the operating system and hypervisor patches for PowerEdge Servers and converged infrastructure?
Answer: As of March 6, 2018, Dell is factory installing the following versions of operating system updates to help mitigate the Spectre/Meltdown vulnerabilities. These are configured (where possible) for maximum protection (fully enabled). Sometimes, there are newer updates provided by the vendors.  Continue to see the operating system vendor websites for specific configuration guidance and newer updates and configuration options as they become available.  
  • Windows Server 2016: KB4056890                (Released Jan 4, 2018)
  • Red Hat Software Enterprise Linux 7.4: kernel-3.10.0-693.11.6.el7.x86_64                (Released Jan 4, 2018)
  • SuSE Linux Enterprise Server 12 SP3: kernel-default-4.4.103-6.38.1.x86_64                (Released Jan 4, 2018)
  • VMware ESXi 6.5U1: Rev A08 Build 7388607                (contains VMSA-2018-002 patch)
  • VMware ESXi 6.0U3: Rev A08 Build 6921384                (contains VMSA-2018-002 patch)

Question: I have heard that the vulnerability affects microprocessors going back at least 10 years. How far back is Dell offering a BIOS update?
Answer: Dell is working with Intel to provide the required BIOS with microcode patches for PowerEdge systems going back to our 11th generation product line. Any BIOS updates that contain microcode updates for the security fix will be dependent upon the affected processor vendors providing code updates to Dell Technologies.

Question: Will Dell Technologies provides technical support for systems that are out of warranty?
Answer: Dell Technologies does not provide technical support for Dell Technologies PowerEdge servers that do not have a valid support contract. Customers can access publically available support documents on Dell Support regardless of current support contract status.

Question: Will Dell Technologies provides patches for systems that are out of warranty?
Answer: Dell Technologies PowerEdge server products do not require a valid support contract in order to gain access to our support and download pages. PowerEdge server BIOS updates are available on the Dell Technologies support site to all users regardless of current support contract status. See the BIOS section BIOS/Firmware/Driver updates for PowerEdge Server and Networking Products for BIOS availability. Operating system patches should be obtained from your operating system provider see the links in the operating system Patch Guidance section.

Question: What about the new AMD EPYC processors?
Answer: For AMD public statements on Meltdown (CVE-2017-5754) Spectre Variant 1 (CVE-2017-5753) and Spectre Variant 2 (CVE-2017-5715) as they relate to AMD processors, see https://www.amd.com/en/corporate/speculative-execution.
For Spectre Variant 1 (CVE-2017-5753) the applicable operating system patch addresses this issue.

Question: When will BIOS updates be available for AMD EYPC based PowerEdge systems that are affected by Spectre?
Answer: Dell EMC has released BIOS updates for our 14G platforms (R7425, R7415, & R6415) which are available on our product support pages. Factory installs of these BIOS were available on January 17, 2018.

Question: When will the BIOS with Intel microcode updates be factory installed on the Intel based PowerEdge systems?  
Answer: PowerEdge 14G and 13G (except R930) BIOS is targeted to be available by factory install on March 6, 2018.  PowerEdge R930 BIOS is targeted to be available using factory install by March 9, 2018.
Question: Is there a performance impact from these BIOS and operating system updates?
Answer: The key aspect of these attacks relies on speculative execution which is a performance-related feature. Performance impacts vary since they are highly workload-dependent. Dell is working with Intel and other vendors to determine performance impacts as a result of these updates and will address this once available.

Cause

No Cause Information is Available.

Resolution

No Resolution Information is Available.

Produse afectate

Networking, Datacenter Scalable Solutions, PowerEdge, C Series, Entry Level & Midrange, Compellent (SC, SCv & FS Series), Legacy Storage Models
Proprietăți articol
Article Number: 000178106
Article Type: Solution
Ultima modificare: 06 sept. 2023
Version:  11
Găsiți răspunsuri la întrebările dvs. de la alți utilizatori Dell
Servicii de asistență
Verificați dacă dispozitivul dvs. este acoperit de serviciile de asistență.