Microprocessor Side-Channel Vulnerabilities (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell products

CVE ID: CVE-2017-5715, CVE-2017-5753, CVE-2017-5754

Dell is aware of the side-channel analysis vulnerabilities, known as Meltdown and Spectre, affecting many modern microprocessors that were publicly described by a team of security researchers on January 3, 2018. No "real-world" exploits of these vulnerabilities have been reported to date, though researchers have produced proof-of-concepts.

Patch Guidance

Update 10/11/2019: There are three essential components that need to be applied to mitigate the above-mentioned vulnerabilities: Apply the processor microcode update via BIOS update listed in the Dell Products Affected section below. Apply the applicable operating system patch. See the OS Patch Guidance section below. For applicable systems, apply the NVIDIA driver package listed in the Dell Client Products with NVIDIA GPU section below. For platforms that include the GeForce Experience (GFE) software, the driver package will also include the mitigated version of GFE. The Operating System patches provide mitigation to Spectre (Variant 1) and Meltdown (Variant 3). The NVIDIA driver update provides mitigation for Spectre (Variant 1). The microcode update is only required for Spectre (Variant 2), CVE-2017-5715.

Dell will update this article with information as it becomes available, including impacted products and remediation steps.

Dell recommends customers follow security best practices for malware protection, in general, to protect against possible exploitation of these vulnerabilities. These practices include promptly adopting software updates, avoiding unrecognized hyperlinks and websites, not downloading files or applications from unknown sources and following secure password protocols. Customers should also use security software to help protect against malware (advanced threat prevention software or anti-virus).

Notes: The affected platform list for Dell client products will be updated as information becomes available.

For information concerning Dell EMC products (Dell PowerEdge Servers, Storage and Networking), refer to Dell Knowledge Base article Microprocessor Side-Channel Attacks (CVE-2017-5715, CVE-2017-5753, CVE-2017-5754): Impact on Dell EMC products (Dell Enterprise Servers, Storage and Networking).

Dell Consumer and Commercial Client Products Affected

The systems below are affected and will receive patched firmware via Dell BIOS release (BIOS update). Dates in this list are estimates provided for customer planning purposes and will be updated with links to download packages when available.

Notes: Prior to installing the BIOS releases, please ensure Windows Updates are up to date.

The dates listed are estimated availability dates, and are subject to change without notice.

Dates below are in US format of MM/DD/YY

These patches may also include the firmware component of the Intel ME/TXE Advisory (INTEL-SA-00086), please refer to the Dell Knowledge Base on the Intel ME/TXE advisory for complete details .

The table below has a link to the product page for your Dell computer containing the latest BIOS available, follow the proceeding instructions.

You will need to do the following:

Touch or click the link to be taken to the Drivers & downloads section of the product page for your Dell computer. Using the drop down menu under Category:, select BIOS. Touch or click Download to the right of the latest BIOS listed for your computer, and then follow the prompts.

Note: ThinOS versions 8.4 and later are not affected.

ThinOS, by design, is a "closed" OS, i.e., only Dell supplied software can run on ThinOS. There is no web browser or other interface to browse, download or install software on ThinOS. In version 8.4, ThinOS introduced digital signature verification of software updates or packages. Thus, users (including Administrators) cannot download or install other software on ThinOS, including malware that could exploit the vulnerabilities in the underlying CPU. Customers should update their devices to the latest version of ThinOS. Dell will continue to monitor the situation.

You will need to do the following:

Touch or click the link to be taken to the Drivers & downloads section of the product page for your Dell computer. Using the drop down menu under Operating System:, select the Operating System installed on your computer. Using the drop down menu under Category:, select Video. Touch or click Download to the right of the latest Video or Graphics driver listed for your computer, and then follow the prompts.

OS Patch Guidance

The operating systems listed below are affected and should be updated by following the instructions provided in the advisory for the applicable operating system.

Microsoft Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

RedHat: https://access.redhat.com/security/vulnerabilities/speculativeexecution

SuSe: https://www.suse.com/support/kb/doc/?id=7022512

Ubuntu: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/SpectreAndMeltdown

ChromeOS: https://support.google.com/faqs/answer/7622138#chromeos

References

Intel Security Advisory: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr

NVIDIA Security Bulletins:

AMD Update: http://www.amd.com/en/corporate/speculative-execution

Google Project Zero Blog Post: https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html

Research papers: https://meltdownattack.com