Like pretty much every IT professional out there, my company is scrambling to get our systems patched since the announcement of Meltdown and Spectre a couple of weeks ago. Just yesterday I wrote about how to tell if your Microsoft system was fully patched, and showed a screenshot from my Lenovo laptop where everything was patched. Here it is again:
Well, while going through all of my higher end systems at my day job I started to see a disturbing trend. That is that some budget systems like SuperMicro, and older HP systems either don't have a BIOS update to fix the Meltdown and Spectre vulnerabilities, or won't release one at all due to age. I'm sure other server vendors like Dell and IBM are in the same boat.
Here are a couple of examples. The first one is a SuperMicro server I have that isn't terribly old. The motherboard on it is a X9DRD-7LN4F. If you look at their support website, the last BIOS update for this motherboard was created in 2015!
SuperMicro has said the following in regards to releasing BIOS updates for side channel speculative execution and indirect branch prediction information disclosure, however they have not given any specific dates when their systems will be patched:
We are working around the clock to integrate, test and release the updates as soon as they are made available. To address the issue systems will need both an Operating System update and a BIOS update. Please check with operating system or VM vendors for related information.Similarly, we have several G6 HP Proliant servers that are still in operation. They have been rock solid machines, and we get third party support from Curvature for them. Curvature's hardware replacement, and technical support has always been top notch, so why get rid of these older servers? Well, no BIOS updates is one reason now...
For instance, we still use an HP Proliant DL585 G6 for QA testing. Looking at their BIOS downloads, the last one available was created in 2014!
HP has issued a bulletin on Meltdown and Spectre, and as of now it looks like they are only going to be patching Gen 8, Gen 9 and Gen 10 servers. Those of us with older servers supported by third parties are probably going to be SOL.
If you are in a similar situation, you may need to start researching other ways to mitigate for this attack. Look into products like Sonicwall UTM firewalls with IPS built in. I specifically mention Sonicwall because they have released the following statement on their protection against exploits that use Meltdown and Spectre:
The SonicWall Capture Threat Research team is releasing protection against attacks that leverage these vulnerabilities to help defend our customers’ extended infrastructure.Long story short, if you thought you were out of the woods because your OS of choice released an update, you're not there yet. In fact, there is a good chance you will never fully get out of the woods on this one.
- GAV: Exploit.Spectre.A (Exploit)