Print | Rate this content

Bulletin: HPE ProLiant, Synergy, and Moonshot Systems – L1 Terminal Fault – SGX (CVE-2018-3615), L1 Terminal Fault – OS, SMM (CVE-2018-3620), L1 Terminal Fault – VMM (CVE-2018-3646) Security Vulnerabilities

SUPPORT COMMUNICATION - CUSTOMER BULLETIN

Document ID: a00053708en_us

Version: 1

Bulletin: HPE ProLiant, Synergy, and Moonshot Systems – L1 Terminal Fault – SGX (CVE-2018-3615), L1 Terminal Fault – OS, SMM (CVE-2018-3620), L1 Terminal Fault – VMM (CVE-2018-3646) Security Vulnerabilities
NOTICE: The information in this document, including products and software versions, is current as of the Release Date. This document is subject to change without notice.

Release Date: 2018-08-14

Last Updated: 2018-08-14


DESCRIPTION

On August 14, 2018, Intel disclosed new vulnerabilities that impact processors which are supported on HPE ProLiant, Synergy, and Moonshot servers. These vulnerabilities, when exploited for malicious purposes, have the potential to allow the improper gathering of sensitive data.

These vulnerabilities use a speculative execution side-channel method which Intel is referring to as L1 Terminal Fault (L1TF). At the time of disclosure, Intel was not aware of any reports that L1TF has been used in real-world exploits.

Intel had released updated microcodes earlier in 2018, and which HPE subsequently has already made available via System ROM updates. These updated microcodes, when coupled with new operating system and/or hypervisor software updates which are now being made available, provide mitigation for these vulnerabilities.

Intel has communicated that there is a portion of the market, principally a subset of those running traditional virtualization technology in data centers, where it may be advisable to take additional steps to protect systems. This may include enabling specific hypervisor core scheduling features or choosing to disable hyper-threading in specific scenarios. Consult recommendations of OS and Hypervisor vendors.

The table below includes information on these vulnerabilities:

Vulnerability
CVE Number
CVE Grade
Mitigations Required
L1 Terminal Fault - SGX
CVE-2018-3615
7.9 - High
Microcode
L1 Terminal Fault - OS, SMM
CVE-2018-3620
7.1 - High
Microcode, OS Software
L1 Terminal Fault - VMM
>CVE-2018-3646
7.1 - High
Microcode, OS Software, VMM Software

An attack which exploits these vulnerabilities requires malicious code to run on the system. Therefore, practicing good security hygiene, including always keeping your software and firmware current, can reduce exposure to this vulnerability. Following security best practices and deploying HPE Gen10 Servers with secure Silicon Root of Trust technology can help protect businesses from malicious attacks.

Additional information on these vulnerabilities are available from Intel in the following Security Advisory:

Intel Security Advisory INTEL-SA-00161 Non-HPE site

IMPORTANT: New OS and Hypervisor updates are required to mitigate these vulnerabilities. The OS and Hypervisor Updates required for mitigation of previous side-channel analysis vulnerabilities (Spectre, Meltdown, Variant 3A, and Variant 4), do not mitigate the L1 Terminal Fault vulnerabilities.

All Operating System Links:

Red Hat:

https://access.redhat.com/security/vulnerabilities/L1TF Non-HPE site

Microsoft:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv180018 Non-HPE site

VMware:

https://www.vmware.com/security/advisories/VMSA-2018-0020.html Non-HPE site

SCOPE

The following table provides the HPE ProLiant, Synergy, and Moonshot servers which support processors impacted by these vulnerabilities. HPE has already made available updated System ROMs including the necessary microcode required to support mitigation of these issues.

NOTE: These vulnerabilities do NOT impact systems using AMD processors.

NOTE: L1 Terminal Fault – SGX only impacts systems that support Intel’s SGX functionality. Only the ProLiant m710x Server Cartridge supports SGX. All other systems listed are NOT vulnerable to L1 Terminal Fault – SGX.

NOTE: Intel has informed HPE that Itanium and Intel Phi 7200-series processors are NOT impacted by these vulnerabilities.

Impacted Server
HPE Apollo 4200 Gen9
ProLiant BL280c G6
ProLiant BL2x220c G6
ProLiant BL2x220c G7
ProLiant BL420c Gen8
ProLiant BL460c G6
ProLiant BL460c G7
ProLiant BL460c Gen10
ProLiant BL460c Gen8
ProLiant BL460c Gen9
ProLiant BL490c G6
ProLiant BL490c G7
ProLiant BL620c G7
ProLiant BL660c Gen8
ProLiant BL660c Gen9
ProLiant BL680 G7
ProLiant DL120 G7
ProLiant DL120 Gen10
ProLiant DL120 Gen9
ProLiant DL160 Gen10
ProLiant DL160 Gen8
ProLiant DL160 Gen9
ProLiant DL180 Gen10
ProLiant DL180 Gen9
ProLiant DL20 Gen9
ProLiant DL320 G6
ProLiant DL320e Gen8
ProLiant DL320e Gen8 v2
ProLiant DL360 G6
ProLiant DL360 G7
ProLiant DL360 Gen10
ProLiant DL360 Gen9
ProLiant DL360e Gen8
ProLiant DL360p Gen8
ProLiant DL370 G6
ProLiant DL380 G6
ProLiant DL380 G7
ProLiant DL380 G7 SE
ProLiant DL380 Gen10
ProLiant DL380 Gen9
ProLiant DL380e Gen8
ProLiant DL380p Gen8
ProLiant DL560 Gen10
ProLiant DL560 Gen8
ProLiant DL560 Gen9
ProLiant DL580 G7
ProLiant DL580 Gen10
ProLiant DL580 Gen8
ProLiant DL580 Gen9
ProLiant DL60 Gen9
ProLiant DL80 Gen9
ProLiant DL980 G7
ProLiant m510 Server Cartridge
ProLiant m710 Server Cartridge
ProLiant m710p Server Cartridge
ProLiant m710x Server Cartridge
ProLiant Microserver Gen8
ProLiant ML10
ProLiant ML10 v2
ProLiant ML110 G7
ProLiant ML110 Gen10
ProLiant ML110 Gen9
ProLiant ML150 Gen9
ProLiant ML30 Gen9
ProLiant ML310e Gen8
ProLiant ML310e Gen8 v2
ProLiant ML330 G6
ProLiant ML350 G6
ProLiant ML350 Gen10
ProLiant ML350 Gen9
ProLiant ML350e Gen8
ProLiant ML350e Gen8 v2
ProLiant ML350p Gen8
ProLiant ML370 G6
ProLiant SL210t Gen8
ProLiant SL230s Gen8
ProLiant SL250s Gen8
ProLiant SL270s Gen8
ProLiant SL2x170z G6
ProLiant SL390s G7
ProLiant SL4540 Gen8
ProLiant Thin Micro TM200
ProLiant WS460c Gen9
ProLiant XL170d Gen10
ProLiant XL170r Gen10
ProLiant XL170r Gen9
ProLiant XL190r Gen10
ProLiant XL190r Gen9
ProLiant XL220a Gen8 v2
ProLiant XL230a Gen9
ProLiant XL230k Gen10
ProLiant XL250a Gen9
ProLiant XL270d Accelerator Tray
ProLiant XL450 Gen10
ProLiant XL450 Gen9
ProLiant XL730f Gen9
ProLiant XL740f Gen9
ProLiant XL750f Gen9
Synergy 660 Gen10
Synergy Composer
Synergy SY480 Gen10
Synergy SY480 Gen9
Synergy SY620 Gen9
Synergy SY660 Gen9
Synergy SY680 Gen9

RESOLUTION

HPE recommends installing mitigations to these security vulnerabilities for impacted products. This includes updating to the revision of the System ROM that includes the Intel microcode that supports mitigation of these vulnerabilities as well as updating the OS and/or Hypervisor with a revision that supports mitigation.

Updated System ROMs including the Intel microcode that supports mitigation of these vulnerabilities are already available for all HPE ProLiant, Synergy, and Moonshot platforms impacted by these vulnerabilities. See the following table for the minimum revision of the System ROM which supports mitigation of these vulnerabilities.

ROM Family
Server(s)
System ROM Revision Supporting Mitigation
U30
ProLiant DL380 Gen10
v1.42 (06/20/2018)
U31
ProLiant DL160 Gen10, ProLiant DL180 Gen10
v1.42 (06/20/2018)
U32
ProLiant DL360 Gen10
v1.42 (06/20/2018)
U33
ProLiant ML110 Gen10
v1.42 (06/20/2018)
U34
ProLiant DL560 Gen10, ProLiant DL580 Gen10
v1.42 (06/20/2018)
U36
ProLiant DL120 Gen10
v1.42 (06/20/2018)
U37
ProLiant XL230k Gen10
v1.42 (06/20/2018)
U38
ProLiant XL170r Gen10, ProLiant XL190r Gen10
v1.42 (06/20/2018)
U40
ProLiant XL450 Gen10
v1.42 (06/20/2018)
U45
ProLiant XL270d Gen10
V1.42 (06/20/2018)
U41
ProLiant ML350 Gen10
v1.42 (06/20/2018)
I41
ProLiant BL460c Gen10
v1.42 (06/20/2018)
I42
HPE Synergy SY480 Gen10
v1.42 (06/20/2018)
I43
HPE Synergy 660 Gen10
v1.42 (06/20/2018)
U13
ProLiant XL230a Gen9, ProLiant XL250a Gen9
v2.60 (5/21/2018)
U14
ProLiant XL170r Gen9, ProLiant XL190r Gen9
v2.60 (5/21/2018)
U15
ProLiant DL60 Gen9, ProLiant DL80 Gen9
v2.60 (5/21/2018)
U18
ProLiant XL730f Gen9, ProLiant XL740f Gen9, ProLiant XL750f Gen9
v2.60 (5/21/2018)
U19
HPE Apollo 4200 Gen9
v2.60 (5/21/2018)
U20
ProLiant DL160 Gen9, ProLiant DL180 Gen9
v2.60 (5/21/2018)
U21
ProLiant XL450 Gen9
v2.60 (5/21/2018)
U25
ProLiant XL270d Accelerator Tray
v2.60 (5/21/2018)
P85
ProLiant DL560 Gen9
v2.60 (5/21/2018)
P86
ProLiant DL120 Gen9
v2.60 (5/21/2018)
P89
ProLiant DL380 Gen9, ProLiant DL360 Gen9
v2.60 (5/21/2018)
P92
ProLiant ML350 Gen9
v2.60 (5/21/2018)
P95
ProLiant ML150 Gen9
v2.60 (5/21/2018)
P99
ProLiant ML110 Gen9
v2.60 (5/21/2018)
I36
ProLiant BL460c Gen9, WS460c Gen9
v2.60 (5/21/2018)
I37
HPE Synergy 480 Gen9
v2.60 (5/21/2018)
I38
ProLiant BL660c Gen9
v2.60 (5/21/2018)
I39
HPE Synergy 660 Gen9
v2.60 (5/21/2018)
U17
ProLiant DL580 Gen9
v2.60 (5/23/2018)
I40
HPE Synergy 620 Gen9, HPE Synergy 680 Gen9
v2.60 (5/23/2018)
U26
ProLiant Thin Micro TM200
v2.60 (05/21/2018)
H05
ProLiant m510 Server Cartridge
v1.68 (05/21/2018)
U22
ProLiant DL20 Gen9
v2.60(5/23/2018)
U23
ProLiant ML30 Gen9
v2.60 (5/23/2018)
H07
ProLiant m710x Server Cartridge
v1.68 (5/10/2018)
H06
ProLiant m710p Server Cartridge
5/21/2018
I30
ProLiant BL420c Gen8
5/21/2018
I31
ProLiant BL460c Gen8
5/21/2018
I32
ProLiant BL660c Gen8
5/21/2018
J02
ProLiant ML350e Gen8, ProLiant ML350e Gen8 v2
5/21/2018
J03
ProLiant DL160 Gen8
5/21/2018
P70
ProLiant DL380p Gen8
5/21/2018
P71
ProLiant DL360p Gen8
5/21/2018
P72
ProLiant ML350p Gen8
5/21/2018
P73
ProLiant DL360e Gen8, ProLiant DL380e Gen8
5/21/2018
P74
ProLiant SL4540 Gen8
5/21/2018
P75
ProLiant SL230s Gen8, ProLiant SL250s Gen8, ProLiant SL270s Gen8
5/21/2018
P77
ProLiant DL560 Gen8
5/21/2018
P83
ProLiant SL210t Gen8
5/21/2018
P79
ProLiant DL580 Gen8
v2.20 (05/21/2018)
P88
ProLiant ML10
5/21/2018
J04
ProLiant ML310e Gen8
5/21/2018
J05
ProLiant DL320e Gen8
5/21/2018
J06
Microserver Gen8
5/21/2018
P78
ProLiant ML310e Gen8 v2
5/21/2018
P80
ProLiant DL320e Gen8 v2
5/21/2018
J10
ProLiant ML10 v2
5/21/2018
P94
ProLiant XL220a Gen8 v2
5/21/2018
H03
ProLiant m710 Server Cartridge
5/21/2018
J08
HPE Synergy Composer
5/21/2018
I25
ProLiant BL620c G7, BL680 G7
5/21/2018
P65
ProLiant DL580 G7
5/21/2018
P66
ProLiant DL980 G7
5/21/2018
I27
ProLiant BL460c G7
5/21/2018
I28
ProLiant BL490c G7
5/21/2018
I29
ProLiant BL2x220c G7
5/21/2018
P67
ProLiant DL380 G7
5/21/2018
P68
ProLiant DL360 G7
5/21/2018
P69
ProLiant SL390s G7
5/21/2018
V67
ProLiant DL380 G7 SE
5/21/2018
J01
ProLiant ML110 G7, DL120 G7
5/21/2018
D22
ProLiant ML350 G6
5/21/2018
I21
ProLiant BL490c G6
5/21/2018
I22
ProLiant BL280c G6
5/21/2018
I24
ProLiant BL460c G6
5/21/2018
I26
ProLiant BL2x220c G6
5/21/2018
P62
ProLiant DL380 G6
5/21/2018
P63
ProLiant ML370 G6, ProLiant DL370 G6
5/21/2018
P64
ProLiant DL360 G6
5/21/2018
W07
ProLiant ML330 G6, ProLiant DL320 G6
5/21/2018

The System ROMs are available as follows:

Click the following link:

https://support.hpe.com/hpesc/public/home

  1. Enter a product name (e.g., "DL380 Gen9") in the text search field and wait for a list of products to populate. From the products displayed, identify the desired product and click on the Drivers & software icon to the right of the product.
  2. From the Drivers & software dropdown menus on the left side of the page:
  3. Under Software Type, select "BIOS-(Entitlement Required")
  4. For further filtering if needed - Select the specific Operating System from the Operating Environment.
  5. Select the appropriate version of the System ROM.
  6. Click Download.

NOTE: The following ProLiant servers do not use an HPE BIOS and will NOT have an updated System ROM including the microcode required for mitigation of these vulnerabilities:

  • ProLiant DL160 G6
  • ProLiant SL160z G6
  • ProLiant SL160s G6
  • ProLiant SL170s G6
  • ProLiant SL2x170z G6

Hardware Platforms Affected: HPE ProLiant ML30 Gen9 Server, HPE ProLiant DL20 Gen9 Server, HPE Synergy 480 Gen9 Compute Module, HPE Synergy 660 Gen9 Compute Module, HPE Synergy Composer, HPE Synergy 620 Gen9 Compute Module, HPE Synergy 680 Gen9 Compute Module, HPE ProLiant XL270d Gen9 Server, HPE ProLiant m710x Server Cartridge, HPE ProLiant Thin Micro TM200 Server, HPE ProLiant DL360 Gen10 Server, HPE ProLiant BL460c Gen10 Server Blade, HPE Synergy 660 Gen10 Compute Module, HPE ProLiant DL380 Gen10 Server, HPE ProLiant DL560 Gen10 Server, HPE ProLiant XL230k Gen10 Server, HPE ProLiant XL170r Gen10 Server, HPE ProLiant XL190r Gen10 Server, HPE ProLiant DL120 Gen10 Server, HPE ProLiant DL160 Gen10 Server, HPE ProLiant DL180 Gen10 Server, HPE ProLiant DL580 Gen10 Server, HPE ProLiant ML110 Gen10 Server, HPE ProLiant ML350 Gen10 Server, HPE ProLiant XL450 Gen10 Server, HPE ProLiant DL380 G6 Server, HPE ProLiant BL460c G6 Server Blade, HPE ProLiant BL490c G6 Server Blade, HPE ProLiant ML370 G6 Server, HPE ProLiant ML350 G6 Server, HPE ProLiant DL360 G6 Server, HPE ProLiant DL370 G6 Server, HPE ProLiant BL280c G6 Server Blade, HPE ProLiant DL320 G6 Server, HPE ProLiant SL2x170z G6 Server, HPE ProLiant ML110 G6 Server, HPE ProLiant BL2x220c G6 Server Blade, HPE ProLiant DL360 G7 Server, HPE ProLiant DL380 G7 Server, HPE ProLiant DL580 G7 Server, HPE ProLiant BL460c G7 Server Blade, HPE ProLiant SL390s G7 Server, HPE ProLiant DL980 G7 Server, HPE ProLiant BL2x220c G7 Server Blade, HPE ProLiant BL490c G7 Server Blade, HPE ProLiant BL620c G7 Server Blade, HPE ProLiant BL680c G7 Server Blade, HPE ProLiant DL120 G7 Server, HPE ProLiant SL230s Gen8 Server, HPE ProLiant SL250s Gen8 Server, HPE ProLiant BL460c Gen8 Server Blade, HPE ProLiant DL380p Gen8 Server, HPE ProLiant DL320e Gen8 Server, HPE ProLiant ML310e Gen8 Server, HPE ProLiant ML350e Gen8 Server, HPE ProLiant DL380e Gen8 Server, HPE ProLiant BL660c Gen8 Server Blade, HPE ProLiant DL560 Gen8 Server, HPE ProLiant SL4540 Gen8 3 Node Server, HPE ProLiant DL360p Gen8 SE Server, HPE ProLiant ML310e Gen8 v2 Server, HPE ProLiant MicroServer Gen8, HPE ProLiant ML10 Server, HPE ProLiant SL210t Gen8 Server, HPE ProLiant SL270s Gen8 SE Server, HPE ProLiant ML350e Gen8 v2 Server, HPE ProLiant DL580 Gen8 Server, HPE ProLiant XL220a Gen8 v2 Server, HPE ProLiant XL730f Gen9 Server, HPE ProLiant DL180 Gen9 Server, HPE ProLiant DL360 Gen9 Server, HPE ProLiant BL460c Gen9 Server Blade, HPE ProLiant DL380 Gen9 Server, HPE ProLiant ML350 Gen9 Server, HPE ProLiant XL230a Gen9 Server, HPE ProLiant XL250a Gen9 Server, HPE ProLiant XL740f Gen9 Server, HPE ProLiant XL750f Gen9 Server, HPE ProLiant m710 Server Cartridge, HPE ProLiant DL120 Gen9 Server, HPE ProLiant ML150 Gen9 Server, HPE ProLiant DL60 Gen9 Server, HPE ProLiant DL80 Gen9 Server, HPE ProLiant ML10 v2 Server, HPE ProLiant ML110 Gen9 Server, HPE ProLiant XL170r Gen9 Server, HPE ProLiant XL190r Gen9 Server, HPE ProLiant WS460c Gen9 Graphics Server Blade, HPE ProLiant DL580 Gen9 Server, HPE ProLiant BL660c Gen9 Server Blade, HPE ProLiant DL560 Gen9 Server, HPE Apollo 4200 Gen9 Server, HPE ProLiant XL450 Gen9 Server, HPE ProLiant m710p Server Cartridge
Operating Systems Affected: Not Applicable
Software Affected: Not Applicable
Support Communication Cross Reference ID: SIK3675
©Copyright 2018 Hewlett Packard Enterprise Development LP
Hewlett Packard Enterprise Development shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HPE nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise Development and the names of Hewlett Packard Enterprise Development products referenced herein are trademarks of Hewlett Packard Enterprise Development in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Legal Disclaimer: Products sold prior to the November 1, 2015 separation of Hewlett-Packard Company into Hewlett Packard Enterprise Company and HP Inc. may have older product names and model numbers that differ from current models.

Provide feedback

Please rate the information on this page to help us improve our content. Thank you!
Document title: Bulletin: HPE ProLiant, Synergy, and Moonshot Systems – L1 Terminal Fault – SGX (CVE-2018-3615), L1 Terminal Fault – OS, SMM (CVE-2018-3620), L1 Terminal Fault – VMM (CVE-2018-3646) Security Vulnerabilities
Document ID: emr_na-a00053708en_us-2
How helpful was this document?
How can we improve this document?
Note: Only English language comments can be accepted at this time.
Please wait while we process your request.