Major Flaw in Millions of Intel Chips

[Corrine]

Intel Corp. admits security patches for Meltdown and Spectre flaws have bugs while AMD says its chips are vulnerable to both Spectre variants - Silicon Valley Business Journal

Santa Clara-based Intel Corp. is quietly urging its biggest data center customers to hold off on installing the company’s latest security patches for the Spectre and Meltdown chip flaws, because the patches have bugs that could cause unexpected system reboots, The Wall Street Journal reports.
In a public post Thursday, Intel executive Navin Shenoy confirmed the issue, saying “a few customers” running Intel’s older Broadwell and Haswell chips had experienced higher-than-normal system reboots.
“We are working quickly with these customers to understand, diagnose and address this reboot issue,” he wrote.

 

[Corrine]

List of Links: BIOS Updates for the Meltdown and Spectre Patches:

As Intel, AMD, and other CPU manufacturers have started releasing CPU microcode (firmware) updates for processor models affected by the Meltdown and Spectre patches, those updates are trickling down to OEMs and motherboard vendors, who are now integrating these patches into BIOS/UEFI updates for affected PCs.

While not all vendors have patches available for vulnerable products right away, most have promised updates in the following months.

Bleeping Computer will be updating the list as more information becomes available.

 

[Corrine]

Included in CPU vulnerabilities exploited by Meltdown and Spectre and updated as additional information becomes available are 210 vendor security advisories; computer emergency, incident, and security response team reports issued from around the world and more by Aryeh Goretsky.

 

[Corrine]

Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners:

As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated solution to industry partners for testing, and we will make a final release available once that testing has been completed.

Based on this, we are updating our guidance for customers and partners:

• We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior. For the full list of platforms, see the Intel.com Security Center site.
• We ask that our industry partners focus efforts on testing early versions of the updated solution so we can accelerate its release. We expect to share more details on timing later this week.
• We continue to urge all customers to vigilantly maintain security best practice and for consumers to keep systems up-to-date.

 

[Corrine]

For anyone using an older Mac OS: Apple issues Meltdown and Spectre fixes for older Mac operating systems

 

[Tekno Venus]

Note that Dell and HP (and others) are now recalling the BIOS updates for Spectre and advising customers to revert to older BIOS versions as per the updated Intel advisory here: Intel(R) Product Security Center

Updated Jan. 22
We have now identified the root cause of the reboot issue impacting Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Based on this, we are updating our guidance for customers and partners:

• We recommend that OEMs, Cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions on the below platforms, as they may introduce higher than expected reboots and other unpredictable system behavior.
• We also ask that our industry partners focus efforts on testing early versions of the updated solution for Broadwell and Haswell we started rolling out this weekend, so we can accelerate its release. We expect to share more details on timing later this week.
• For those concerned about system stability while we finalize the updated solutions, we are also working with our OEM partners on the option to utilize a previous version of microcode that does not display these issues, but removes the Variant 2 (Spectre) mitigations. This would be delivered via a BIOS update, and would not impact mitigations for Variant 1 (Spectre) and Variant 3 (Meltdown).

We believe it is important for OEMs and our customers to follow this guidance for all of the specified platforms listed below, as they may demonstrate higher than expected reboots and unpredictable system behavior. The progress we have made in identifying a root cause for Haswell and Broadwell will help us address issues on other platforms. Please be assured we are working quickly to address these issues.

Dell is advising that all customers should not deploy the BIOS update for the Spectre (Variant 2) vulnerability at this time. We have removed the impacted BIOS updates from our support pages and are working with Intel on a new BIOS update that will include new microcode from Intel.

If you have already deployed the BIOS update, in order to avoid unpredictable system behavior, you can revert back to a previous BIOS version. See the tables below.

Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking) | Dell UK

• HP is removing HP BIOS softpaqs with Intel microcode patches from hp.com.
• HP will be reissuing HP BIOS softpaqs with previous Intel microcode starting January 25, 2018.
• Once Intel reissues microcode updates, HP will issue revised Softpaqs.

HP is working closely with our partners, and updates will be made as soon as possible. Check this Security Bulletin frequently for updates.

HPSBHF03573 rev. 6 - Side-Channel Analysis Method | HP(R) Customer Support


EDIT - Didn't see Corrine has already posted this info! Whoops

 

[RepairandRestore]

Hello all,
I hope you do not mind my question.
I would like to ask about company environments and if that can have impact in case the servers are completely secured and patched but there is few workstations vulnerable.
Is there are chance the the whole environment to be compromised trough the vulnerable working station?
Also, is there vendor on the marked who managed release product not vulnerable to Spectre and Meltdown ?
Thank you in advance.
Andy

 

[axe0]

Hi RepairandRestore,

I don't think it's possible for a whole environment to get infected with the Spectre and Meltdown flaws if there are only a few vulnerable, I don't speak from any experience or a lot of knowledge about the subject, rather from the thought that I don't think it's possible to use either of the methods on a system that has already been patched.

From what I read, Intel doesn't (yet) release its CPUs with the fixes already implemented, instead Intel releases products with a security feature that enables Spectre mitigation.

 

[Digerati]

Steve Gibson released a nice little program called InSpectre to see if your computer is safe from these threats.