Hewlett Packard Enterprise Product Security Vulnerability Alerts

On March 13, 2018, CTS Labs publicly released information regarding research into security vulnerabilities impacting some AMD products. In terms of HPE Servers, the relevant vulnerabilities impact the AMD Secure Processor (PSP) utilized in the AMD EPYC 7000 Series processor used on the HPE ProLiant DL385 Gen10 and HPE Cloudline CL3150 Gen10 servers. No other HPE server products are impacted by these potential vulnerabilities.

HPE is working with AMD to determine the extent of the vulnerability, and what precautions might be needed to mitigate any exposure. Fortunately, the new HPE DL385 Gen10 product ships with all the new HPE security features, including the HPE Silicon Root of Trust. This new HPE technology protects against typical denial of service or permanent denial of service conditions that might be caused by one part of this vulnerability.

As HPE, working with AMD, learns more information, we will update our communications. In addition, please reference the following statement published by AMD on March 20.

Recently, Side-Channel (Spectre & Meltdown) security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed HPE products, potentially leading to information disclosure and elevation of privilege. Mitigation and resolution of these vulnerabilities may call for both an operating system update, provided by the OS vendor, and a system ROM update from HPE. Intel provided an initial high level statement here.

In addition, we are alerting our customers to an Intel statement published on January 22, 2018 regarding issues associated with the Intel microcode patch designed to address the Side-Channel Analysis vulnerability. Intel recommends that customers stop deployment of the HPE ProLiant, HPE Synergy, HPE Superdome Flex and HPE Superdome X System ROMs that include the updated microcode and revert back to the previous version of System ROM. The impact assessment linked below has been updated accordingly. Please reference the HPE Customer Guidance Pack and HPE Customer Advisory for additional details about this issue. Please note that the HPE ProLiant DL385 Gen10 with the AMD microcode update is working as designed and has mitigated the risk associated with the Side Channel Analysis vulnerability.

Impact assessment for HPE Products is available here.

Links to patches for affected HPE products are available here.

Additional details on HPE Support Center

Recently, one of our suppliers, Intel, discovered a potential security vulnerability in their Server Platform Services (SPS) firmware. The security vulnerability affected several of their processor architectures; however, not all of the impacted Intel server processor architectures are used in HPE products. Specifically, the SPS/ME firmware used in Intel’s architecture can be compromised using physical access. As a result, non-authenticated code may be executed in the SPS environment outside of the visibility of the user and operating system administrator.

These vulnerabilities are not unique to HPE servers and will affect any systems using Intel’s identified processor architectures with impacted firmware revisions.

Impact assessments for HPE Products as HTML or Spreadsheet

Additional details on HPE Support Center

On October 16, 2017, security researchers Mathy Vanhoef and Frank Piessens described vulnerabilities in Wi-Fi Protected Access II (WPA2) by publishing a research paper, "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2". Certain Vulnerable WPA2 handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or wireless client. This allows for an attacker within range of an affected AP and wireless client to execute arbitrary packet decryption, packet injection, TCP connection hijacking, and HTTP content injection.

This vulnerability has the following CVEs assigned: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088.

Impact assessments for HPE Products as HTML or Spreadsheet

Additional details on HPE Support Center

The REST Plugin in Apache Struts2 is using a XStreamHandler with an instance of XStream for deserialization without any type filtering which could lead to Remote Code Execution when deserializing XML payloads. An attacker could use this flaw to execute arbitrary code or to conduct further attacks.

To learn more about CVE-2017-9805, see the MITRE CVE dictionary and NIST NVD.

Impact assessments for HPE Products as HTML or Spreadsheet

Additional details on HPE Support Center

On May 12th, 2017, a ransomware attack was deployed by unknown actors against Microsoft Windows clients. The attack caused PCs and servers to be encrypted as part of a ransomware type of Denial of Service attack. On March 14, 2017 Microsoft released MS17-010, a patch which addresses the vulnerability. Additional information about this vulnerability is available from Microsoft - MS17-010 and from NVD - CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2016-0148.

Impact assessments for HPE Products as HTML or Spreadsheet

Additional details on HPE Support Center

On May 1st, 2017, Intel disclosed a new vulnerability in their Intel Manageability Firmware which is utilized on some systems containing Intel processors. This vulnerability allows an unprivileged network or local attacker to gain control of the remote manageability features of Intel Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT) platforms. Additional information about this vulnerability is available at CVE-2017-5689.

Impact assessments for HPE Products as HTML or Spreadsheet

Additional details on HPE Support Center

On March 6th, 2017, Apache disclosed a new vulnerability in Apache Struts 2. The vulnerability allows remote code execution when performing file upload using the Jakarta multipart parser used in Apache Struts 2. This flaw allows an attacker to send invalid content-type HTTP header as part of the file upload request which could result in execution of arbitrary code on the vulnerable system. If exploited, the attacker can steal critical data and/or take control of the affected system. Additional information about this vulnerability is available at CVE-2017-5638.


Product Impact Assessment HTML

Product Impact Assessment Spreadsheet

Additional Details

On October 19, 2016, a privilege escalation vulnerability in Linux kernel was disclosed. A race condition was found in a way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. This flaw allows an unprivileged local user to gain write access to otherwise read-only memory mappings and thus gaining increased privileges on the Linux kernel. This vulnerability is referred to as “Dirty COW”. Additional information about this vulnerability is available at CVE-2016-5195.

Product Impact Assessment HTML

Product Impact Assessment Spreadsheet

Additional Details

On August 15th, 2016, a vulnerability referred to as “FalseCONNECT”, in the implementation of HTTP 407 (proxy authentication required) for the CONNECT method was disclosed. Since these requests are always made in plain text over HTTP, they are susceptible to man-in-the-middle attacks that may be leveraged to expose user credentials, and in some implementations, render HTML and scripts in the client DOM within a security context. The injection as well as tampering of 407 authentication headers in the context of the CONNECT method can subject a user to phishing as well as authentication downgrade attacks. Additional information about the vulnerability is available at CERT VU#905344. 

Product Impact Assessment

Additional Details

On July 18th, 2016, a vulnerability in the handling of HTTP_PROXY environment variable by web servers, web frameworks, and programming languages that run in CGI or CGI-like environments, referred to as HTTPoxy, was disclosed. The vulnerability stems from using user-supplied input to set the HTTP_PROXY environment variable without sufficient validation. This vulnerability could allow an unauthenticated, remote attacker to perform man-in-the-middle attack (MITM) or redirect outbound traffic to an arbitrary server that can cause disclosure of sensitive information. Additional information about this vulnerability is available at CVE-HTTPoxy.  

Product Impact Assessment HTML

Product Impact Assessment Spreadsheet

Additional Details

On March 1st 2016, a new attack was released which is being referred to as DROWN - Decrypting RSA using Obsolete and Weakened eNcryption. This is a cross-protocol attack that exploits a vulnerability in SSLv2 to decrypt passively collected TLS sessions. Additional information about the vulnerability is available at CVE-2016-0800.

Product Impact Assessment

Additional Details

On February 16, 2016, a stack-based buffer overflow vulnerability in the GNU C library (glibc) was publicly disclosed. The flaw was discovered in the getaddrinfo() library function of the glibc. Applications using this function may be exploited by attackers by performing remote code execution on the affected device. Additional information about the vulnerability is available on the NIST website CVE-2015-7547. 

Product Impact Assessment

Additional Details

Overview

On August 6th 2015, at the Black Hat security conference in Las Vegas, security researcher Christopher Domas demonstrated installing a rootkit in a PC's firmware. Domas nicknamed the demonstration a “memory sinkhole’. The attack exploited a feature built into x86 chips manufactured since the mid-1990’s until the 2011 release of Intel Xeon Processor E5-2600 Series (i.e., Sandy Bridge-EP).

The vulnerability exists in the Advanced Programmable Interrupt Controller (APIC), which could allow an attack against the System Management Mode (SMM) memory area used by the operating system to interface with the boot environment like BIOS, EFI, or UEFI. An attacker can exploit this vulnerability to utilize the most privileged of execution modes and potentially overwrite secure features in the boot environment. The demonstration exploit uses the UEFI code features to install a rootkit.

Potential Impact

HPE has investigated the potential impact of this issue on our Enterprise products (i.e., Servers, Storage and Networking) and determined that HPE ProLiant Gen8 and Gen9-series servers are not vulnerable, as Intel previously addressed this design flaw in Intel Xeon Processor E5-2600 Series and subsequent models of server processors. Please note that Intel Xeon Processor E5-2600 Series are used in ProLiant Gen8 servers. 

In addition, HPE has investigated the potential impact of this issue on HPE ProLiant G5, G6 and G7-series servers and determined they are not vulnerable to the specific attack demonstrated by Christopher Domas at the Black Hat security conference. Intel is providing a microcode update for these servers which will prevent a potential security breach, if an attempt is made to exploit this vulnerability. As an added measure of security, HPE plans to implement this microcode in updated ProLiant System ROMs, which will be made available for download on HPE Support Center, at no cost to customers.

What can you do?

Please check back for updates to this page regarding the availability of updated System ROMs for ProLiant G5, G6 and G7-series servers.

Additional details

A vulnerability affecting DNS name servers based on ISC BIND was announced on July 28, 2015. This vulnerability could allow a remotely exploitable Denial of Service against name servers running ISC BIND. Additional information about the ISC BIND TKEY query handling vulnerability is available at CVE-2015-5477.

Additional details

On July 9, 2015, OpenSSL disclosed a flaw in the way alternative certificate chains are verified. This only impacts versions of OpenSSL released since June 2015: v1.0.2c, v1.0.2b, v1.0.1o and v1.0.1n. Exploitation of this vulnerability could allow an attacker to bypass certain certificate validation checks, enabling them to issue an invalid certificate. Additional information about the VENOM vulnerability is available on the NIST web site CVE-2015-1793. 

Additional details

On May 13, 2015, a vulnerability was announced in the virtual floppy drive code used by many virtualization platforms. Exploitation of this vulnerability could allow an attacker to escape from the affected Virtual Machine (VM) guest and potentially execute code on the host. Additional information about the VENOM vulnerability is available on the NIST web site CVE-2015-3456.

Additional details

On January 27, 2015, a buffer overflow vulnerability in GNU C library (glibc) was publicly disclosed. The flaw was discovered in the gethostbyname set of functions of the GNU C library (glibc) and could be used to execute arbitrary code. Additional information about the vulnerability is available on NIST web site CVE-2015-0235.

Additional details

On October 14, 2014, a vulnerability in the SSLv3 protocol was released. An exploitation of this vulnerability could allow an attacker to decrypt portions of encrypted traffic via a POODLE (Padding Oracle on Downgraded Legacy Encryption) attack. Additional information about SSLv3 POODLE vulnerability is available on NIST web site CVE-2014-3566.

Additional details

A recent Bash vulnerability affecting Unix-based operating systems, such as Linux and Mac OS X, was announced on September 24, 2014. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system. More information about this issue is available at CVE-2014-7169.

Additional details

On April 8, 2014, HP was notified of an OpenSSL vulnerability CVE-2014-0160 (now known as "Heartbleed"). This vulnerability has garnered a substantial amount of media attention. See resources section for link to National Vulnerability Database entry describing vulnerability in detail. OpenSSL is used in some HP products to provide encryption and SSL services. 

Additional details