About Mitigating Processor Vulnerability (Side-channel Attack)
Updated: December 27, 2019
Published: January 24, 2018
Thank you for your continued patronage for NEC Express5800 series products.
New Vulnerabilities (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646) have been recently found in processors supporting speculative execution and out-of-order execution features. These vulnerabilities could allow malicious programs to steal data stored in memory from the affected products.
Previously, this page addressed processors targeted with similar feature functions (referenced below).
Due to the similarities of these new vulnerabilities, countermeasures need to be taken in terms of both the system BIOS and the operating system.
January 2018(CVE-2017-5715、CVE-2017-5753、CVE-2017-5754)
May 2018(CVE-2018-3639、CVE-2018-3640)
Since August of 2018, details regarding these new vulnerabilities, countermeasures and announcements as well as details as to the current situation have been made available on this page. We will continue to release additional information as it becomes available.
Information on the vulnerabilities
- The following vulnerabilities could allow an attacker to obtain memory data from the affected products illegally.
- Unless a malicious program is executed on a system, these vulnerabilities should not affect the system.
Vulnerabilities Reported in August 2018 (CVE-2018-3615、CVE-2018-3620、CVE-2018-3646)
Relevant information:
CERT/CC Vulnerability Note VU# 982149
Intel processors are vulnerable to a speculative execution side-channel attack called L1 Terminal Fault (L1TF)
https://www.kb.cert.org/vuls/id/982149
Press release published by Intel Corporation
Security Exploits and Intel Products
https://newsroom.intel.com/press-kits/security-exploits-intel-products/
(Aug. 14, 2018: Protecting Our Customers through the Lifecycle of Security Threats)
Vulnerabilities reported in May 2018 (CVE-2018-3639, CVE-2018-3640)
Relevant information:
CERT/CC Vulnerability Note VU# 180049
CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks
https://www.kb.cert.org/vuls/id/180049
Press release published by Intel Corporation
Security Exploits and Intel Products
https://newsroom.intel.com/press-kits/security-exploits-intel-products/
(May 21, 2018: Addressing New Research for Side-Channel Analysis)
Vulnerabilities reported in January 2018 (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754
Relevant information:
CERT/CC Vulnerability Note VU#584653
CPU hardware vulnerable to side-channel attacks
https://www.kb.cert.org/vuls/id/584653
Press release published by Intel Corporation
Security Exploits and Intel Products
https://newsroom.intel.com/press-kits/security-exploits-intel-products/
(Jan. 3, 2018: Intel Responds to Security Research Findings)
Solution
For any of the vulnerabilities stated above, it is necessary to update the system BIOS of the applicable products and to apply a patch to the current operating system.
Updating the system BIOS
Please refer to the product list below for affected models and thier respective updates.
Download and apply all relevant update modules.
Countermeasures for the vulnerabilities announced in August 2018 (CVE-2018-3615、CVE-2018-3620、CVE-2018-3646) are the same as those vulnerabilities reported in May 2018 (CVE-2018-3639, CVE-2018-3640).
Affected products list and release schedule of module updates: Express5800 Server Series
- The list of the affected models and the information about update module releases will be updated sequentially.
- Only products which are within their respective intended product lifetimes are described.
-
Information for BIOS updates in response to the new vulnerabilities reported in May 2018,
(CVE-2018-3639 and CVE-2018-3640) have been added.
Precautions on updating the system BIOS
- Before obtaining and updating the BIOS, make sure to check the BIOS version of your device.
- Please install the latest version after performing any countermeasure procedures.
Applying security updates to the operating system
Please refer to information on security updates published by respective operating system vendors.
Note that some updates may reduce your system’s processing performance depending on the usage load of your system.
Mitigations for vulnerabilities reported in August 2018 (CVE-2018-3615、CVE-2018-3620、CVE-2018-3646)
Mitigations for vulnerabilities reported in May 2018 (CVE-2018-3639 and CVE-2018-3640)
Mitigations for vulnerabilities reported in January 2018 (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754)
Top of this page