|
Original release date: 7 January 2018
Update date: 17 April 2018
CVE IDs
Meltdown: CVE-2017-5754
Spectre: CVE-2017-5715, CVE-2017-5753
CVSS Base Scores
CVE-2017-5754: 5.6 Medium(CVSS:AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)
CVE-2017-5715: 5.6 Medium(CVSS:AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)
CVE-2017-5753: 5.6 Medium(CVSS:AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)
Description
Meltdown vulnerability destroys the basic isolation between the user program and the operating system, allowing unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.
Spectre vulnerabilities undermines the security isolation between different applications, allowing unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
Scope
The Intel chips produced after 1995 are affected. AMD, Qualcomm, ARM and POWERPC processors are also affected.
Solution
1.For 3rd party platforms
The operating system and CPU manufacturers have released upgraded patch, it is recommended that users upgrade and install patches after performance test verification and evaluation of the actual running business.
1) CPU manufactures
Intel
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
https://newsroom.intel.com/news/firmware-updates-and-initial-performance-data-for-data-center-systems/ (performance test result)
AMD
http://www.amd.com/en/corporate/speculative-execution
ARM
https://developer.arm.com/support/security-update
IBM
http://www-01.ibm.com/support/docview.wss?uid=swg22012320
http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/SC-Firmware-Hist.html
NVIDIA
http://nvidia.custhelp.com/app/answers/detail/a_id/4611
2) Operating system manufacturers
Microsoft
https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/ADV180002
https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems (performance test result)
Apple
https://support.apple.com/zh-cn/HT208394
Android
https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html
https://www.chromium.org/Home/chromium-security/ssca
https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
RedHat
https://access.redhat.com/security/vulnerabilities/speculativeexecution
https://access.redhat.com/articles/3311301#page-table-isolation-pti-6
https://access.redhat.com/articles/3307751 (performance test result)
Ubuntu
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown
SUSE
https://www.suse.com/support/kb/doc/?id=7022512
https://www.suse.com/c/meltdown-spectre-performance/ (performance test result)
2.ZTE Products:
ZTE responded quickly to the security vulnerabilities and communicated actively with the related operating system and CPU suppliers.
Some products have been released to fix patches; Affected dependent products have been patched with regards to the related technical notice of engineering and implemented by on-site supporting teams. Customers can get necessary support for product security vulnerabilities through ZTE local technical service.
ZTE will keep up with the latest developments.
Affected Products and Fixing Plan
List of affected products and fixing plan:
|
Product Name |
Version |
Progress |
|
CGSL |
V4, V5, Core V1.x |
Repaired versions V5.04.F2 and Core V1.x was released on January 9.
Repaired version 4.05.F11 was released on January 20.
Repaired version Core V5.04.F3 was released on April 17.
Patch of V5.03 is expected to be released in early April. |
|
VPLAT |
ZXVEi, ZXVE |
Repair version ZXVEi V3.18.11. B1 was released on January 12.
Repair version ZXVEi V3.17.1.F10.EF11 was released on January 16.
Repair version ZXVEi V3.17.1.F20_20180117, V1.02.10.P7_20180117 were released on January 17.
Patches of ZXVEi V3.17.4/7/10/11 are expected to be released in the middle of Aprial. |
|
NR8250 |
V2.4.4 |
Repair plan is under development. |
|
EPC |
All |
Due to patches' performance issues, the patches releases are suspended. |
|
IMS |
All |
Due to patches' performance issues, the patches releases are suspended. |
|
SDM |
All |
Due to patches' performance issues, the patches releases are suspended. |
|
CS |
All |
Due to patches' performance issues, the patches releases are suspended. |
|
CG |
All |
Due to patches' performance issues, the patches releases are suspended. |
|
EMS |
All |
Due to patches' performance issues, the patches releases are suspended. |
|
MANO |
All |
Due to patches' performance issues, the patches releases are suspended. |
|
VAS |
All |
Due to patches' performance issues, the patches releases are suspended. |
|
TECS |
All |
Due to patches' performance issues, the patches releases are suspended. |
|
MCG 5311 |
|
Waiting for vendors to release patches. |
|
MCG 5362 |
|
Waiting for vendors to release patches. |
|
CT320 |
|
Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28. |
|
CT321 |
|
Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28. |
|
CT620 |
|
Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28. |
|
CT621 |
|
Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28. |
|
X320 |
|
Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28. |
|
CT321G3 |
|
Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28. |
|
CT621G2 |
|
Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28. |
|
CT342 |
|
Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28. |
Products Confirmed Not Vulnerable
ZTE has confirmed that vulnerabilities do not affect the following products:
|
TSP |
ZXR10 Series |
ZXCTN Series |
|
ZXMP ZXONE OTN |
ZXTIM |
ZXDNA |
|
Easymanager |
ZENIC |
MBB Series |
Reference
https://meltdownattack.com/meltdown.pdf
https://spectreattack.com/spectre.pdf
http://xenbits.xen.org/xsa/advisory-254.html
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe
Update Records
7 January 2018, initial.
8 January 2018, Affected Products and Fixing Plan updated.
9 January 2018, Affected Products and Fixing Plan, Products Confirmed Not Vulnerable updated.
10 January 2018, Affected Products and Fixing Plan updated.
12 January 2018, Affected Products and Fixing Plan, Products Confirmed Not Vulnerable updated.
15 January 2018, Affected Products and Fixing Plan, Products Confirmed Not Vulnerable updated.
17 January 2018,Affected Products and Fixing Plan, Products Confirmed Not Vulnerable updated.
19 January 2018, Affected Products and Fixing Plan updated.
22 January 2018, Affected Products and Fixing Plan, Products Confirmed Not Vulnerable updated.
30 January 2018, Solution updated.
31 January 2018, Affected Products and Fixing Plan updated.
5 February 2018, Affected Products and Fixing Plan updated.
30 March 2018, Solution, Affected Products and Fixing Plan updated.
17 April 2018, Affected Products and Fixing Plan updated.
ZTE PSIRT
If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.
|