Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Patch Management

1/25/2018
08:05 AM
Scott Ferguson
Scott Ferguson
News Analysis-Security Now
50%
50%

HPE, Dell EMC Warn Customers Over Spectre, Meltdown Patches

Hewlett Packard Enterprise and Dell EMC, two of the biggest suppliers of enterprise data center gear, have issued new warnings about the Spectre and Meltdown patches from Intel.

Following fresh warnings from Intel to users earlier this week, Hewlett Packard Enterprise and Dell EMC have each issued warnings to their customers about patches related to the Spectre and Meltdown CPU vulnerabilities.

[company link 13970 not found] and [company link 14177 not found] are two of the largest suppliers of data center and cloud computing equipment to enterprises, meaning that any warnings from them about the Spectre and Meltdown patches could have far-ranging consequences for IT departments, as well as security pros. (See Unknown Document 739392.)

The security bulletins from HPE and Dell EMC follow a statement from Intel Corp. (Nasdaq: INTC) on January 22 that warned about unexpected system reboots, as well as other problems specifically related to the Spectre patch. This warning from the chipmaker was directed at nearly everyone and everything in the tech industry, including OEMs, cloud service providers, system manufacturers, software vendors and end users.

The latest warnings from Intel were met by large complaints from many in the tech community, including Linux founder Linus Torvalds, who offered less-than-cordial assessment of what the chipmaker has been doing to address the issue. (See Linus Torvalds: Intel's Spectre Patch Is 'Complete & Utter Garbage'.)

In its message to customers, HPE notes that the company has not put the patch into production and that any servers that ship from its factories have the proper BIOS version to avoid problems.

However, customers should be aware about downloading the patch from the company website.

"The alert does apply to customers that recently downloaded the System ROM update with the Intel microcode patch from the HPE website," according to HPE.

Dell EMC pushed out a similar warning to its customers, noting: "Dell is advising that all customers should not deploy the BIOS update for the Spectre (Variant 2) vulnerability at this time. We have removed the impacted BIOS updates from our support pages and are working with Intel on a new BIOS update that will include new microcode from Intel."


The fundamentals of network security are being redefined -- don't get left in the dark by a DDoS attack! Join us in Austin from May 14-16 at the fifth-annual Big Communications Event. There's still time to register and communications service providers get in free!

As the Dell EMC warning indicates, there are several different variants associated with these chip vulnerabilities. Variants 1 and 2 relate to Spectre, while Variant 3 is for Meltdown. Of the three, Variant 2 has given Intel and its partners the most difficulty with a wide variety of the company's CPUs.

Specifically, Variant 2 involves a flaw called "indirect branch speculation," which is difficult to patch, and can make certain types of environments susceptible to attacks. Intel offered a fix called Indirect Branch Restricted Speculation or IBRS, which is the part of the patching that restricts speculation of indirect program branches.

It was this patch that caused Torvalds to lash out: "So the IBRS garbage implies that Intel is _not_ planning on doing the right thing for the indirect branch speculation."

In its own report on the Variant 2 flaw, Google (Nasdaq: GOOG) noted in a blog post that it had come up with a approach called Retpoline -- a binary modification technique that prevents branch-target-injection. This allowed key performance issues to continue and ensured that an attacker could not take advantage of the flaw by manipulating the execution commands. (See Unknown Document 739666.)

Related posts:

— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13991
PUBLISHED: 2020-09-24
vm/opcodes.c in JerryScript 2.2.0 allows attackers to hijack the flow of control by controlling a register.
CVE-2020-15160
PUBLISHED: 2020-09-24
PrestaShop from version 1.7.5.0 and before version 1.7.6.8 is vulnerable to a blind SQL Injection attack in the Catalog Product edition page with location parameter. The problem is fixed in 1.7.6.8
CVE-2020-15162
PUBLISHED: 2020-09-24
In PrestaShop from version 1.5.0.0 and before version 1.7.6.8, users are allowed to send compromised files. These attachments allowed people to input malicious JavaScript which triggered an XSS payload. The problem is fixed in version 1.7.6.8.
CVE-2020-15843
PUBLISHED: 2020-09-24
ActFax Version 7.10 Build 0335 (2020-05-25) is susceptible to a privilege escalation vulnerability due to insecure folder permissions on %PROGRAMFILES%\ActiveFax\Client\, %PROGRAMFILES%\ActiveFax\Install\ and %PROGRAMFILES%\ActiveFax\Terminal\. The folder permissions allow "Full Control" t...
CVE-2020-17365
PUBLISHED: 2020-09-24
Improper directory permissions in the Hotspot Shield VPN client software for Windows 10.3.0 and earlier may allow an authorized user to potentially enable escalation of privilege via local access. The vulnerability allows a local user to corrupt system files: a local user can create a specially craf...