Hewlett Packard Enterprise Product Security Vulnerability Alerts

Three related flaws were found in the Linux kernel’s handling of TCP networking. The most severe vulnerability could allow a remote attacker to trigger a kernel panic in systems running the affected kernel and impact the system availability. The issues have been assigned the following CVEs: 

CVE-2019-11477 : SACK Panic

CVE-2019-11478 : SACK Slowness 

CVE-2019-11479 : Excess Resource Consumption Due to Low MSS Values

The first two CVEs are related to the Selective Acknowledgement (SACK) packets combined with the TCP Maximum Segment Size (MSS), while the third CVE is impacted due to the Maximum Segment Size (MSS).

Impact assessment for HPE Products is available here.

Additional details on HPE Support Centre.

On 14 May 2019, Intel and other industry partners shared details and information about a new group of vulnerabilities collectively called Microarchitectural Data Sampling (MDS).  These security vulnerabilities in CPUs may allow information disclosure. Intel is releasing microcode updates (MCU) to mitigate these potential vulnerabilities. These are coupled with corresponding updates to operating system and hypervisor software.

More details are available through CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 and the Intel Security Advisory.

Impact assessment for HPE Products is available here.

Additional details on HPE Support Centre.

On 23 January 2019, Stewart Smith, a security researcher released a blog disclosing attacks using operating systems level attacks against underlying computer systems components called Baseband management Controllers or BMCs. The vulnerability was given a nickname called pantsdown due to the surprising nature of the attack. CVE-2019-6260 was assigned to this issue. The attack was also asserted to be used in the so called ‘Cloudborne’ attack discussed in media. The BMC attacks could allow for the low level firmware to be reflashed, hardware passwords to be changed, and for the system to become inoperable. Impacted BMCs from third-party vendors are being assessed, and updates will be provided from HPE.

To learn more about CVE-2019-6260, see the NIST NVD

Impact assessment for HPE Products is available here

Additional details on HPE Support Centre

On 22 August, Apache announced a vulnerability in Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 can suffer from Remote Code Execution in the context of the application. Struts 2 is used several HPE products. To learn more about CVE-2018-11776, To learn more about CVE-2018-11776, see the MITRE CVE Dictionary and NIST NVD.

Impact assessment for HPE Products is available here

Additional details on HPE Support Centre

On 14 August 2018, Intel disclosed new vulnerabilities that impact processors which are supported on certain HPE platforms. These vulnerabilities, when exploited for malicious purposes, have the potential to allow the improper gathering of sensitive data.

These vulnerabilities use a speculative execution side-channel method which Intel is referring to as L1 Terminal Fault (L1TF). At the time of disclosure, Intel was not aware of any reports that L1TF has been used in real-world exploits. Intel had released updated microcodes earlier in 2018, and which HPE subsequently has already made available via System ROM updates. These updated microcodes, when coupled with new operating system and/or hypervisor software updates which are now being made available, provide mitigation for these vulnerabilities.

Intel has communicated that there is a portion of the market, principally a subset of those running traditional virtualisation technology in data centres, where it may be advisable to take additional steps to protect systems. This may include enabling specific hypervisor core scheduling features or choosing to disable hyper-threading in specific scenarios. Consult recommendations of OS and Hypervisor vendors.

Impact assessment for HPE Products is available here

Additional details on HPE Support Centre

On 21 May 2018, an industry-wide vulnerability was disclosed that involves modern microprocessor architectures. Based on new security research, there are software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. At this time, this vulnerability is known as Speculative Store Bypass or Variant 4 (CVE-2018-3639). While this vulnerability shares many similarities with the recently disclosed Side-Channel Analysis Method, or Spectre and Meltdown, this is a new vulnerability requiring new and unique mitigations.

The Speculative Store Bypass or Variant 4 vulnerability impacts microprocessor architectures from multiple CPU vendors, including Intel, AMD and ARM. To address this vulnerability, hardware and software vendors from across the industry, including HPE, have been working together to develop mitigation strategies. Mitigation for Intel-based products requires both OS updates and System ROM updates including a new Intel microcode. Mitigation for AMD-based products only require an OS update.

In addition, on 21 May 2018, another vulnerability was disclosed referred to as Rogue Register Load or Variant 3A (CVE-2018-3640) that allows an attacker to improperly access processor registers. This vulnerability impacts Intel-based products only. Mitigation for this vulnerability requires only a System ROM update including a new Intel microcode. The same microcode required for mitigation of Speculative Store Bypass or Variant 4 will also mitigate Rogue Register Load or Variant 3A.

Intel Itanium Processors are not exposed to either Speculative Store Bypass (CVE-2018-3639) or Rogue Register Load (CVE-2018-3640) vulnerabilities.

Impact assessment for HPE Products is available here

Additional details on HPE Support Centre

On 13 March 2018, CTS Labs publicly released information regarding research into security vulnerabilities impacting some AMD products. In terms of HPE Servers, the relevant vulnerabilities impact the AMD Secure Processor (PSP) utilised in the AMD EPYC 7000 Series processor used on the HPE ProLiant DL385 Gen10 and HPE Cloudline CL3150 Gen10 servers. No other HPE server products are impacted by these potential vulnerabilities.

HPE is working with AMD to determine the extent of the vulnerability, and what precautions might be needed to mitigate any exposure. Fortunately, the new HPE DL385 Gen10 product ships with all the new HPE security features, including the HPE Silicon Root of Trust. This new HPE technology protects against typical denial of service or permanent denial of service conditions that might be caused by one part of this vulnerability.

As HPE, working with AMD, learns more information, we will update our communications. In addition, please reference the following statement published by AMD on 20 March.

Impact assessment for HPE Products is available here

Additional details on HPE Support Centre

Recently, Side-Channel (Spectre & Meltdown) security vulnerabilities involving speculative execution were publicly disclosed. These vulnerabilities may impact the listed HPE products, potentially leading to information disclosure and elevation of privilege. Mitigation and resolution of these vulnerabilities may call for both an operating system update, provided by the OS vendor, and a system ROM update from HPE. Intel provided an initial high level statement here.

In addition, we are alerting our customers to an Intel statement published on 22 January 2018 regarding issues associated with the Intel microcode patch designed to address the Side-Channel Analysis vulnerability. Intel recommends that customers stop deployment of the HPE ProLiant, HPE Synergy, HPE Superdome Flex and HPE Superdome X System ROMs that include the updated microcode and revert back to the previous version of System ROM. The impact assessment linked below has been updated accordingly. Please reference the HPE Customer Guidance Pack and HPE Customer Advisory for additional details about this issue. Please note that the HPE ProLiant DL385 Gen10 with the AMD microcode update is working as designed and has mitigated the risk associated with the Side Channel Analysis vulnerability.

Impact assessment for HPE Products is available here

Links to patches for affected HPE products are available here

Additional details on HPE Support Centre

Recently, one of our suppliers, Intel, discovered a potential security vulnerability in its Server Platform Services (SPS) firmware. The security vulnerability affected several of its processor architectures; however, not all of the impacted Intel server processor architectures are used in HPE products. Specifically, the SPS/ME firmware used in Intel’s architecture can be compromised using physical access. As a result, non-authenticated code may be executed in the SPS environment outside of the visibility of the user and operating system administrator.

These vulnerabilities are not unique to HPE servers and will affect any systems using Intel’s identified processor architectures with impacted firmware revisions.

Impact assessments for HPE Products as HTML or Spreadsheet

Additional details on HPE Support Centre

On 16 October 2017, security researchers Mathy Vanhoef and Frank Piessens described vulnerabilities in Wi-Fi Protected Access II (WPA2) by publishing a research paper, "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2". Certain Vulnerable WPA2 handshake traffic can be manipulated to induce nonce and session key reuse, resulting in key reinstallation by a wireless access point (AP) or wireless client. This allows for an attacker within range of an affected AP and wireless client to execute arbitrary packet decryption, packet injection, TCP connection hijacking and HTTP content injection.

This vulnerability has the following CVEs assigned: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088.

Impact assessments for HPE Products as HTML or Spreadsheet

Additional details on HPE Support Centre

The REST Plugin in Apache Struts2 is using a XStreamHandler with an instance of XStream for deserialisation without any type filtering which could lead to Remote Code Execution when deserialising XML payloads. An attacker could use this flaw to execute arbitrary code or to conduct further attacks.

To learn more about CVE-2017-9805, see the MITRE CVE dictionary and NIST NVD.

Impact assessments for HPE Products as HTML or Spreadsheet

Additional details on HPE Support Centre

On 12 May 2017, a ransomware attack was deployed by unknown actors against Microsoft Windows clients. The attack caused PCs and servers to be encrypted as part of a ransomware type of Denial of Service attack. On 14 March 2017 Microsoft released MS17-010, a patch which addresses the vulnerability. Additional information about this vulnerability is available from Microsoft - MS17-010 and from NVD - CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2016-0148.

Impact assessments for HPE Products as HTML or Spreadsheet

Additional details on HPE Support Centre

On 1 May 2017, Intel disclosed a new vulnerability in its Intel Manageability Firmware which is used on some systems containing Intel processors. This vulnerability allows an unprivileged network or local attacker to gain control of the remote manageability features of Intel Active Management Technology (AMT), Intel Standard Manageability (ISM) and Intel Small Business Technology (SBT) platforms. Additional information about this vulnerability is available at CVE-2017-5689.

Impact assessments for HPE Products as HTML or Spreadsheet

Additional details on HPE Support Centre

On 6 March 2017, Apache disclosed a new vulnerability in Apache Struts 2. The vulnerability allows remote code execution when performing file upload using the Jakarta multipart parser used in Apache Struts 2. This flaw allows an attacker to send invalid content-type HTTP header as part of the file upload request which could result in execution of arbitrary code on the vulnerable system. If exploited, the attacker can steal critical data and/or take control of the affected system. Additional information about this vulnerability is available at CVE-2017-5638.

Product Impact Assessment HTML

Product Impact Assessment Spreadsheet

Additional details

On 19 October 2016, a privilege escalation vulnerability in Linux kernel was disclosed. A race condition was found in a way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. This flaw allows an unprivileged local user to gain write access to otherwise read-only memory mappings and thus gaining increased privileges on the Linux kernel. This vulnerability is referred to as “Dirty COW”. Additional information about this vulnerability is available at CVE-2016-5195.

Product Impact Assessment HTML

Product Impact Assessment Spreadsheet

Additional details

On 15 August 2016, a vulnerability referred to as “FalseCONNECT”, in the implementation of HTTP 407 (proxy authentication required) for the CONNECT method was disclosed. Since these requests are always made in plain text over HTTP, they are susceptible to man-in-the-middle attacks that may be leveraged to expose user credentials, and in some implementations, render HTML and scripts in the client DOM within a security context. The injection as well as tampering of 407 authentication headers in the context of the CONNECT method can subject a user to phishing as well as authentication downgrade attacks. Additional information about the vulnerability is available at CERT VU#905344.

Product Impact Assessment

Additional details 

On 18 July 2016, a vulnerability in the handling of HTTP_PROXY environment variable by web servers, web frameworks, and programming languages that run in CGI or CGI-like environments, referred to as HTTPoxy, was disclosed. The vulnerability stems from using user-supplied input to set the HTTP_PROXY environment variable without sufficient validation. This vulnerability could allow an unauthenticated, remote attacker to perform man-in-the-middle attack (MITM) or redirect outbound traffic to an arbitrary server that can cause disclosure of sensitive information. Additional information about this vulnerability is available at CVE-HTTPoxy. 

Product Impact Assessment HTML

Product Impact Assessment Spreadsheet

Additional details

On 1 March 2016, a new attack was released which is being referred to as DROWN – Decrypting RSA using Obsolete and Weakened eNcryption. This is a cross-protocol attack that exploits a vulnerability in SSLv2 to decrypt passively collected TLS sessions. Additional information about the vulnerability is available at CVE-2016-0800.

Product Impact Assessment 

Additional details

A vulnerability affecting DNS name servers based on ISC BIND was announced on 28 July 2015. This vulnerability could allow a remotely exploitable Denial of Service against name servers running ISC BIND. Additional information about the ISC BIND TKEY query handling vulnerability is available at CVE-2015-5477.

Additional details 

On 16 February 2016, a stack-based buffer overflow vulnerability in the GNU C library (glibc) was publicly disclosed. The flaw was discovered in the getaddrinfo() library function of the glibc. Applications using this function may be exploited by attackers by performing remote code execution on the affected device. Additional information about the vulnerability is available on the NIST website CVE-2015-7547. 

Product Impact Assessment 

Additional details

Overview

On 6 August 2015, at the Black Hat security conference in Las Vegas, security researcher Christopher Domas demonstrated installing a rootkit in a PC's firmware. Domas nicknamed the demonstration a “memory sinkhole’. The attack exploited a feature built into x86 chips manufactured since the mid-1990’s until the 2011 release of Intel Xeon Processor E5-2600 Series (i.e., Sandy Bridge-EP).

The vulnerability exists in the Advanced Programmable Interrupt Controller (APIC), which could allow an attack against the System Management Mode (SMM) memory area used by the operating system to interface with the boot environment like BIOS, EFI, or UEFI. An attacker can exploit this vulnerability to use the most privileged of execution modes and potentially overwrite secure features in the boot environment. The demonstration exploit uses the UEFI code features to install a rootkit.

Potential Impact

HPE has investigated the potential impact of this issue on our Enterprise products (i.e., Servers, Storage and Networking) and determined that HPE ProLiant Gen8 and Gen9-series servers are not vulnerable, as Intel previously addressed this design flaw in Intel Xeon Processor E5-2600 Series and subsequent models of server processors. Please note that Intel Xeon Processor E5-2600 Series are used in ProLiant Gen8 servers. 

In addition, HPE has investigated the potential impact of this issue on HPE ProLiant G5, G6 and G7-series servers and determined they are not vulnerable to the specific attack demonstrated by Christopher Domas at the Black Hat security conference. Intel is providing a microcode update for these servers which will prevent a potential security breach, if an attempt is made to exploit this vulnerability. As an added measure of security, HPE plans to implement this microcode in updated ProLiant System ROMs, which will be made available for download on HPE Support Centre, at no cost to customers.

What can you do?

Please check back for updates to this page regarding the availability of updated System ROMs for ProLiant G5, G6 and G7-series servers.

Additional details

On 9 July 2015, OpenSSL disclosed a flaw in the way alternative certificate chains are verified. This only impacts versions of OpenSSL released since June 2015: v1.0.2c, v1.0.2b, v1.0.1o and v1.0.1n. Exploitation of this vulnerability could allow an attacker to bypass certain certificate validation checks, enabling them to issue an invalid certificate. Additional information about the VENOM vulnerability is available on the NIST web site CVE-2015-1793. 

Additional details

On 13 May 2015, a vulnerability was announced in the virtual floppy drive code used by many virtualisation platforms. Exploitation of this vulnerability could allow an attacker to escape from the affected Virtual Machine (VM) guest and potentially execute code on the host. Additional information about the VENOM vulnerability is available on the NIST web site CVE-2015-3456.

Additional details

On 27 January 2015, a buffer overflow vulnerability in GNU C library (glibc) was publicly disclosed. The flaw was discovered in the gethostbyname set of functions of the GNU C library (glibc) and could be used to execute arbitrary code. Additional information about the vulnerability is available on NIST web site CVE-2015-0235.

Additional details

On 14 October 2014, a vulnerability in the SSLv3 protocol was released. An exploitation of this vulnerability could allow an attacker to decrypt portions of encrypted traffic via a POODLE (Padding Oracle on Downgraded Legacy Encryption) attack. Additional information about SSLv3 POODLE vulnerability is available on NIST web site CVE-2014-3566.

Additional details

A recent Bash vulnerability affecting Unix-based operating systems, such as Linux and Mac OS X, was announced on 24 September 2014. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on an affected system. More information about this issue is available at CVE-2014-7169.

Additional details