Print | Rate this content

Bulletin: HPE Servers - Some Systems Using Certain Intel Processors Are Vulnerable to Local Denial of Service and Execution of Arbitrary Code

SUPPORT COMMUNICATION - CUSTOMER BULLETIN

Document ID: a00036596en_us

Version: 3

Bulletin: (Revision) HPE Servers - Some Systems Using Certain Intel Processors Are Vulnerable to Local Denial of Service and Execution of Arbitrary Code
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2017-12-18

Last Updated: 2017-12-18


DESCRIPTION

Document Version
Release Date
Details
3
12/15/2017
IE Firmware 0.1.4.4, a solution in a previous version of this Bulletin, has been removed from hpe.com. An updated version of IE firmware has replaced it and this document has been updated with that solution, as well as additional information.
2
11/30/2017
Updated to include ProLiant m710x server cartridge and associated download
1
11/20/2017
Original document release

Security researchers disclosed to Intel a vulnerability in Intel’s Management Engine firmware. This vulnerability requires a physical access to the Intel processor complex to run non-authenticated code. Intel recommends that a mandatory patch be applied to address this vulnerability in their firmware. It is HPE’s policy to retain and carry forward the mandatory status of security related firmware patches from its supplier.

For physical access from unauthorized intrusion, HPE offers an optional hood latch that can detect if the hood was opened even if the Server was not plugged in. As this Intel firmware vulnerability requires physical access to the “serial peripheral chip” on the motherboard, hood latch can detect if an unexpected access to the HPE server occurred. HPE’s Silicon Root of Trust limits the risk of attacks by ensuring that the System ROM, Integrated Lights-Out (iLO) firmware and Intel Management Engine firmware are not vulnerable to attempts by malicious code executed to corrupt their contents.

For more information on System Intrusion detection, refer to Page 28 of the HPE Gen10 Security Reference Guide:

https://support.hpe.com/hpsc/doc/public/display?docId=a00018320en_us

Intel has released new revisions of the Intel Server Platform Service (SPS) firmware to address this vulnerability.

The new revisions address the following security vulnerabilities:

  • CVE-2017-5706 - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5706
  • CVE-2017-5709 - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5709
CVE ID
CVE Draft Title
CVSSv3 Vectors
CVE-2017-5706
Multiple buffer overflows in kernel in Intel Server Platform Services Firmware 4.0 allow attackers with local access to the system to execute arbitrary code
CVSS 8.2 High
AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CVE-2017-5709
Multiple privilege escalations in kernel in Intel Server Platforms Services Firmware 4.0 allows unauthorized process to access privileged content via unspecified vector.
CVSS7.5 High
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N

These vulnerabilities are NOT unique to HPE servers and will affect any systems using Intel’s identified processor architectures with impacted firmware revisions. HPE’s Silicon Root of Trust designed into HPE ProLiant and Synergy Gen10 servers may limit certain attacks associated with the vulnerability by ensuring that the System ROM, Integrated Lights-Out (iLO) firmware, and Innovation Engine (IE) firmware are not vulnerable to attempts by malicious code executed in the SPS environment to corrupt their contents.

SCOPE

Any of the platforms listed in the Products section below with the following processors:

For the ProLiant DL20 Gen9 and the ProLiant ML30 Gen9 server and the ProLiant m710x server cartridge:

Intel Xeon Processor E3-1200v5 and v6 product family

For all impacted ProLiant and Synergy Gen10 systems:

Intel Xeon Processor Scalable Family

RESOLUTION

For impacted ProLiant and Synergy and HPE ConvergedSystem 500 for SAP HANA Gen10 systems, the System ROM, the Innovation Engine, and the SPS firmware must all be updated. Ensure that they are updated in the specific order outlined below.

IMPORTANT:

In addition to making sure the components are updated IN THE ORDER SPECIFIED BELOW, ensure that all instructions, including any required reboots, on how to flash the firmware are followed. This is crucial for a successful update.

After the reboot, if this tool is reporting that the system is still vulnerable, verify the SPS firmware version (this can be determined both from the iLO GUI and from the HPE pre-boot System Information page which is part of System Utilities). If the SPS FW version is not reported as the latest version, that means the flash did not work properly. Note that A REBOOT IS REQUIRED after running the flash components before the firmware revision will be reported properly.

  1. First, update the System ROM to version 1.26 (or later).
  2. Then, update the Innovation Engine to version 0.1.5.2 (or later).
  3. Finally, update the SPS firmware to version 04.00.04.288.
  4. As a last step, update to the Gen10 System Recovery Set.

The System ROM and IE firmware must both be updated first, AND IN THE ORDER LISTED ABOVE, to support the required updates to the Intel SPS firmware.

Note: Although there is generally no need to downgrade firmware, once the Innovation Engine is updated to version 0.1.5.2, on any attempt to flash to an older Innovation Engine or older SPS firmware, the flash will not succeed.

The updates are available as follows:

For the ProLiant Gen10 Platform SYSTEM ROM:

a. Click the following link:

https://support.hpe.com/hpesc/public/home

b. Enter a product name (e.g., "ML350 Gen10") in the text search field and wait for a list of products to populate. From the products displayed, identify the desired product and click on the Drivers & software icon to the right of the product.

c. From the Drivers & software dropdown menus on the left side of the page:

d. Select the Software Type - (For the System ROM- e.g. BIOS (Entitlement Required))

e. Select the Software Sub Type - (e.g. System ROM)

f. For further filtering if needed - Select the specific Operating System from the Operating Environment.

g. Select the System ROM Version 1.26 (or later) Note: To ensure the latest version will be downloaded, click on the Revision History tab to check if a new version of the firmware/driver is available.

h. Click Download.

NOTE: It is recommended to sign-in with HPE Passport that is linked to your HPE Support Center (SC) profile. Refer to the Help topic available on the sign-in page regarding linking active warranties and/or support agreements to enable download of entitled firmware packages.

For the Gen10 Platform INNOVATION ENGINE (IE) FIRMWARE:

Windows: https://www.hpe.com/global/swpublishing/MTX-7a92b1a4a7cd46e3b433087416

Linux: https://www.hpe.com/global/swpublishing/MTX-c584e6e40338427595214893b1

For the Gen10 Platform SPS FIRMWARE: https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_7c14bc5f198a4761bb70335faa

IMPORTANT:

The first reboot after flashing these deliverables will take several minutes to complete, and could give the appearance that the system has become unresponsive; however, this is not the case. No action is needed. Allow the system to complete the updates.

For Gen10 systems, in addition to the ROM, IE, and SPS firmware updates, a System Recovery Set update is required after updating to these firmware versions, in order to maintain proper Secure Start protection.

The Gen10 System Recovery Set Update ISO Version 1.00 removes the previous System Recovery Set and initializes the System Recovery Set to include BIOS Version 1.26, Innovation Engine Version 0.1.5.2, Intel SPS Version 4.0.04.288, and HPE Integrated Lights-Out 5 (iLO 5) Version 1.15.

The Gen10 System Recovery Set is available here:

https://support.hpe.com/hpsc/swd/public/detail?swItemId=MTX_e11f0eceeeec4503a4c1b510e8


For the ProLiant DL20 Gen9, and the ProLiant ML30 Gen9 server:

Update the SPS firmware to version 04.01.04.054. For these platforms, only the SPS firmware update is required.

The firmware is available as follows:

Click the following link: https://support.hpe.com/hpesc/public/home

a. Enter a product name (e.g., "ML30 Gen9") in the text search field and wait for a list of products to populate. From the products displayed, identify the desired product and click on the Drivers & software icon to the right of the product.

b. At the top of the page, in the Search box under the "Hewlett-Packard Enterprise Support Center" heading, type in "SPS" and click the magnifying glass icon on the right.

c. Download Server Platform Services (SPS) Firmware, and choose version 04.01.04.054 (or later).

For the ProLiant m710x Server Cartridge:

Update the HPE ProLiant m710x Server Cartridge ME Firmware to version 10/17/2017. For this platform,only the ME firmware update is required.

The firmware is available as follows:

  1. Click the following link:

    https://support.hpe.com/hpesc/public/home

  2. Enter a product name (e.g. "m710x") in the text search field.
  3. Click the Magnifying Glass icon.
  4. Select the appropriate product model from the Results list (if prompted).
  5. Click the "Drivers & Software" hyperlink under the Filter Results.
  6. Select the specific operating system from the Operating Environment dropdown menu on the left side of the page.
  7. Select the Software Type, Firmware, from the dropdown menu on the left side of the page.
  8. Select the latest release of HPE ProLiant m710x Server Cartridge ME Firmware Version 10/17/2017.
  9. Click "Download."
  10. Follow the instructions on the download page.

RECEIVE PROACTIVE UPDATES : Receive support alerts (such as Customer Advisories), as well as updates on drivers, software, firmware, and customer replaceable components, proactively via e-mail through HPE Subscriber's Choice. Sign up for Subscriber's Choice at the following URL: Proactive Updates Subscription Form.

NAVIGATION TIP : For hints on navigating HPE.com to locate the latest drivers, patches, and other support software downloads for ProLiant servers and Options, refer to the Navigation Tips document .


Hardware Platforms Affected: HPE ProLiant ML30 Gen9 Server, HPE ProLiant DL20 Gen9 Server, HPE ProLiant m710x Server Cartridge, HPE ProLiant MicroServer Gen10, HPE ProLiant DL360 Gen10 Server, HPE ProLiant BL460c Gen10 Server Blade, HPE ProLiant DL380 Gen10 Server, HPE ProLiant DL560 Gen10 Server, HPE ProLiant XL230k Gen10 Server, HPE ProLiant XL170r Gen10 Server, HPE ProLiant XL190r Gen10 Server, HPE Apollo 2000 System, HPE ProLiant DL580 Gen10 Server, HPE ProLiant ML110 Gen10 Server, HPE ProLiant ML350 Gen10 Server, HPE Apollo 4510 System, HPE ProLiant XL450 Gen10 Server, HPE Apollo 6000 DLC System, HPE ConvergedSystem 500 for SAP HANA Scale-out Configurations, HPE ConvergedSystem 500 for SAP HANA Scale-up Configurations
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Support Communication Cross Reference ID: SIK2708
©Copyright 2018 Hewlett Packard Enterprise Company, L.P.
Hewlett Packard Enterprise Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Company and the names of Hewlett Packard Enterprise Company products referenced herein are trademarks of Hewlett Packard Enterprise Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!