Huawei multiple servers Intel CPU Vulnerabilities Meltdown and Specter

Security researchers disclosed two groups of CPU vulnerabilities “Meltdown” and “Spectre”. In some circumstances, a local attacker could exploit these vulnerabilities to read memory information belonging to other processes or other operating system kernel. (Vulnerability ID: HWPSIRT-2018-01001, HWPSIRT-2018-01002, HWPSIRT-2018-01003)

This vulnerability has been assigned Common Vulnerabilities and Exposures (CVE) ID:

CVE-2017-5715,

CVE-2017-5753

CVE-2017-5754.

Product Name Affected Version Resolved Product and Version
CH121 V3 Versions before V100R001C00SPC250 V100R001C00SPC250[1]
CH121L V3 Versions before V100R001C00SPC150 V100R001C00SPC150[1]
CH140 V3 Versions before V100R001C00SPC170 V100R001C00SPC170[1]
CH140L V3 Versions before V100R001C00SPC150 V100R001C00SPC150[1]
CH220 V3 Versions before V100R001C00SPC250 V100R001C00SPC250[1]
CH222 V3 Versions before V100R001C00SPC250 V100R001C00SPC250[1]
CH225 V3 Versions before V100R001C00SPC150 V100R001C00SPC150[1]
CH226 V3 Versions before V100R001C00SPC170 V100R001C00SPC170[1]
1288H V5 Versions before V100R005C00SPC107 V100R005C00SPC107[2]
2288H V5 Versions before V100R005C00SPC107 V100R005C00SPC107[2]

Note:

[1] Upgrade the BIOS to V382 version, upgrade the iBMC to V268 version. In addition to the two components, it is required to upgrade the operating system patches which are provided by the operating system vendor.

[2] Upgrade the BIOS to V055 version, upgrade the iBMC to V270 version. In addition to the two components, it is required to upgrade the operating system patches which are provided by the operating system vendor.

An attacker could exploit these vulnerabilities to read memory information belonging to other processes or other operating system kernel.

The vulnerability classification has been performed by using the CVSSv3 scoring system (https://www.first.org/cvss/specification-document).

HWPSIRT-2018-01001

Base Score: 8.2 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N)

Temporal Score: 7.6 (E:F/RL:O/RC:C)

HWPSIRT-2018-01002& HWPSIRT-2018-01003

Base Score: 7.1 (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Temporal Score: 6.6 (E:F/RL:O/RC:C)

1. Prerequisite:

An attacker must be able to run crafted code on an affected device.

2. Attacking procedure:

In some circumstances, a local attacker could exploit these vulnerabilities to read memory information belonging to other processes or other operating system kernel.

Customers should contact Huawei TAC (Huawei Technical Assistance Center) to request the upgrades. For TAC contact information, please refer to Huawei worldwide website at http://www.huawei.com/en/psirt/report-vulnerabilities.

Leave a Reply