Meltdown and Spectre Vulnerabilities

Original release date: 7 January 2018

Update date: 17 April 2018

 

CVE IDs

Meltdown: CVE-2017-5754

Spectre:  CVE-2017-5715, CVE-2017-5753

 

CVSS Base Scores

CVE-2017-5754: 5.6 Medium(CVSS:AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)

CVE-2017-5715: 5.6 Medium(CVSS:AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)

CVE-2017-5753: 5.6 Medium(CVSS:AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)

 

Description

Meltdown vulnerability destroys the basic isolation between the user program and the operating system, allowing unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

Spectre vulnerabilities undermines the security isolation between different applications, allowing unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

 

Scope

The Intel chips produced after 1995 are affected. AMD, Qualcomm, ARM and POWERPC processors are also affected.

 

Solution

1.For 3rd party platforms

The operating system and CPU manufacturers have released upgraded patch, it is recommended that users upgrade and install patches after performance test verification and evaluation of the actual running business.

1) CPU manufactures

Intel   

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

https://newsroom.intel.com/news/firmware-updates-and-initial-performance-data-for-data-center-systems/ (performance test result)

AMD

http://www.amd.com/en/corporate/speculative-execution

ARM

https://developer.arm.com/support/security-update

IBM

http://www-01.ibm.com/support/docview.wss?uid=swg22012320

http://download.boulder.ibm.com/ibmdl/pub/software/server/firmware/SC-Firmware-Hist.html

NVIDIA

http://nvidia.custhelp.com/app/answers/detail/a_id/4611

 

2) Operating system manufacturers

Microsoft

https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/ADV180002

https://cloudblogs.microsoft.com/microsoftsecure/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems (performance test result)

Apple

https://support.apple.com/zh-cn/HT208394

Android

https://googleprojectzero.blogspot.co.at/2018/01/reading-privileged-memory-with-side.html

https://www.chromium.org/Home/chromium-security/ssca

https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html

RedHat

https://access.redhat.com/security/vulnerabilities/speculativeexecution

https://access.redhat.com/articles/3311301#page-table-isolation-pti-6

https://access.redhat.com/articles/3307751 (performance test result)

Ubuntu

https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

SUSE

https://www.suse.com/support/kb/doc/?id=7022512

https://www.suse.com/c/meltdown-spectre-performance/ (performance test result)

 

2.ZTE Products:

ZTE responded quickly to the security vulnerabilities and communicated actively with the related operating system and CPU suppliers.

Some products have been released to fix patches; Affected dependent products have been patched with regards to the related technical notice of engineering and implemented by on-site supporting teams. Customers can get necessary support for product security vulnerabilities through ZTE local technical service.

ZTE will keep up with the latest developments.

 

Affected Products and Fixing Plan

List of affected products and fixing plan:

Product Name

Version

Progress

CGSL

 V4,  V5, Core  V1.x

Repaired versions V5.04.F2 and  Core  V1.x was released on January 9.
Repaired version 4.05.F11 was released on January 20.
Repaired version Core V5.04.F3 was released on April 17.
Patch of V5.03 is expected to be released in early April.

VPLAT

ZXVEi, ZXVE

Repair version ZXVEi V3.18.11. B1 was released on January 12.
Repair version ZXVEi V3.17.1.F10.EF11 was released on January 16.
Repair version ZXVEi V3.17.1.F20_20180117, V1.02.10.P7_20180117 were released on January 17.
Patches of ZXVEi V3.17.4/7/10/11 are expected to be released in the middle of Aprial.

NR8250

V2.4.4

Repair plan is under development.

EPC

All

Due to patches' performance issues, the patches releases are suspended.

IMS

All

Due to patches' performance issues, the patches releases are suspended.

SDM

All

Due to patches' performance issues, the patches releases are suspended.

CS

All

Due to patches' performance issues, the patches releases are suspended.

CG

All

Due to patches' performance issues, the patches releases are suspended.

EMS

All

Due to patches' performance issues, the patches releases are suspended.

MANO

All

Due to patches' performance issues, the patches releases are suspended.

VAS

All

Due to patches' performance issues, the patches releases are suspended.

TECS

All

Due to patches' performance issues, the patches releases are suspended.

MCG 5311

 

Waiting for vendors to release patches.

MCG 5362

 

Waiting for vendors to release patches.

CT320

 

Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28.

CT321

 

Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28.

CT620

 

Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28.

CT621

 

Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28.

X320

 

Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28.

CT321G3

 

Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28.

CT621G2

 

Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28.

CT342

 

Repair version R_ZXCLOUD-iBOX-CT V3.05.09 was released on March 28.

 

Products Confirmed Not Vulnerable

ZTE has confirmed that vulnerabilities do not affect the following products:

TSP

ZXR10 Series

ZXCTN Series

ZXMP ZXONE OTN

ZXTIM

ZXDNA

Easymanager

ZENIC

MBB Series

 

Reference

https://meltdownattack.com/meltdown.pdf

https://spectreattack.com/spectre.pdf

http://xenbits.xen.org/xsa/advisory-254.html

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

https://support.microsoft.com/en-us/help/4073119/windows-client-guidance-for-it-pros-to-protect-against-speculative-exe

 

Update Records

7 January 2018, initial.

8 January 2018, Affected Products and Fixing Plan updated.

9 January 2018, Affected Products and Fixing Plan, Products Confirmed Not Vulnerable updated.

10 January 2018, Affected Products and Fixing Plan updated.

12 January 2018, Affected Products and Fixing Plan, Products Confirmed Not Vulnerable updated.

15 January 2018, Affected Products and Fixing Plan, Products Confirmed Not Vulnerable updated.

17 January 2018,Affected Products and Fixing Plan, Products Confirmed Not Vulnerable updated.

19 January 2018, Affected Products and Fixing Plan updated.

22 January 2018, Affected Products and Fixing Plan, Products Confirmed Not Vulnerable updated.

30 January 2018, Solution updated.

31 January 2018, Affected Products and Fixing Plan updated.

5 February 2018, Affected Products and Fixing Plan updated.

30 March 2018, Solution, Affected Products and Fixing Plan updated.

17 April 2018, Affected Products and Fixing Plan updated.

 

ZTE PSIRT

If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.

[Close]