Following fresh warnings from Intel to users earlier this week, Hewlett Packard Enterprise and Dell EMC have each issued warnings to their customers about patches related to the Spectre and Meltdown CPU vulnerabilities.
[company link 13970 not found] and [company link 14177 not found] are two of the largest suppliers of data center and cloud computing equipment to enterprises, meaning that any warnings from them about the Spectre and Meltdown patches could have far-ranging consequences for IT departments, as well as security pros. (See Unknown Document 740007.)
The security bulletins from HPE and Dell EMC follow a statement from Intel Corp. (Nasdaq: INTC) on January 22 that warned about unexpected system reboots, as well as other problems specifically related to the Spectre patch. This warning from the chipmaker was directed at nearly everyone and everything in the tech industry, including OEMs, cloud service providers, system manufacturers, software vendors and end users.
The latest warnings from Intel were met by large complaints from many in the tech community, including Linux founder Linus Torvalds, who offered less-than-cordial assessment of what the chipmaker has been doing to address the issue. (See Linus Torvalds: Intel's Spectre Patch Is 'Complete & Utter Garbage'.)
In its message to customers, HPE notes that the company has not put the patch into production and that any servers that ship from its factories have the proper BIOS version to avoid problems.
However, customers should be aware about downloading the patch from the company website.
"The alert does apply to customers that recently downloaded the System ROM update with the Intel microcode patch from the HPE website," according to HPE.
Dell EMC pushed out a similar warning to its customers, noting: "Dell is advising that all customers should not deploy the BIOS update for the Spectre (Variant 2) vulnerability at this time. We have removed the impacted BIOS updates from our support pages and are working with Intel on a new BIOS update that will include new microcode from Intel."
As the Dell EMC warning indicates, there are several different variants associated with these chip vulnerabilities. Variants 1 and 2 relate to Spectre, while Variant 3 is for Meltdown. Of the three, Variant 2 has given Intel and its partners the most difficulty with a wide variety of the company's CPUs.
Specifically, Variant 2 involves a flaw called "indirect branch speculation," which is difficult to patch, and can make certain types of environments susceptible to attacks. Intel offered a fix called Indirect Branch Restricted Speculation or IBRS, which is the part of the patching that restricts speculation of indirect program branches.
It was this patch that caused Torvalds to lash out: "So the IBRS garbage implies that Intel is _not_ planning on doing the right thing for the indirect branch speculation."
In its own report on the Variant 2 flaw, Google (Nasdaq: GOOG) noted in a blog post that it had come up with a approach called Retpoline -- a binary modification technique that prevents branch-target-injection. This allowed key performance issues to continue and ensured that an attacker could not take advantage of the flaw by manipulating the execution commands. (See Unknown Document 740007.)
- Congressman Looking for Answers About Spectre & Meltdown
- Spectre Can Obfuscate Tracking Tools, Too
- Spectre, Meltdown Flaws Already Producing Spam
- After Spectre & Meltdown, Intel Faces an 'Evil Maid' Problem