Security Notice - Statement about Meltdown and Spectre Vulnerabilities

Home Page > Support >Notice

Publish at:2018-01-08

Summary

On January 2, 2018, the Google security team announced the “Meltdown" (CVE-2017-5754) and “Spectre”(CVE-2017-5715/CVE-2017-5753) A-level vulnerabilities on Intel CPU chips. 

In some circumstances, a local attacker could exploit these vulnerabilities to read memory information belonging to other OS kernel or other processes.

Meltdown vulnerability destroys the basic isolation between the user program and the operating system, allowing unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

Spectre vulnerability undermines the security isolation between different applications, allowing unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

After receiving the notification of security vulnerability on the night of January 3, 2018, ZTE drew back key staffs from projects such as CGSL, VPlat and CGEL and immediately set up an emergency response team to start analyzing, actively communicating with relevant CPUs and operating system vendors. Combined with the security architecture of NFV/Non-NFV Network for the Meltdown/Spectre vulnerability  threat analysis, ZTE determined the risk level, communicated with related CPU and OS suppliers, closely tracked the treatment scheme of the upstream suppliers, and finished the system test, confirming the impact of patches for systems Services.

Impact

The two vulnerabilities are widespread:
    Processor Chips: Intel, ARM, and other processors are affected
    OS: Windows, Linux, macOS, Android;
    Cloud service providers: Amazon, Microsoft, Google, Tencent Cloud, Alibaba Cloud, etc.
    Various private cloud infrastructure;
    Desktop users 
We confirm that the following CCN products are affected by the vulnerabilities,

Affected Products

EPC, IMS, SDM, CS, CG, EMS, MANO, VAS, TECS, SSP

The Process of Vulnerability Handling of the Upstream Suppliers

1. The process of Intel CPU Fireware patch

Jan. 22. 2018: Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners
Jan. 17. 2018: Firmware Updates and Initial Performance Data for Data Center Systems (Includes performance data results)
Jan. 11. 2018: Intel Security Issue Update: Addressing Reboot Issues
Jan. 10. 2018: Intel Security Issue Update: Initial Performance Data Results for Client Systems (Includes performance data results)
Jan. 9. 2018: Intel Offers Security Issue Update
Jan. 4. 2018: Intel Issues Updates to Protect Systems from Security Exploits
Intel Statement: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Notice:
Jan.23.2018: Intel have closed the version downloading of the Vulnerability 
We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior。

2. The process of RHEL kernel patch from Redhat 

Jan. 4. 2018: the  Update of Kernel is available for Red Hat Enterprise Linux 6.2  
Jan. 4. 2018: the  Update of Kernel is available for Red Hat Enterprise Linux 6.7  
Jan. 3. 2018: the  Update of Kernel is available for Red Hat Enterprise Linux 7 

The Process of Vulnerability Handling of ZTE CCN Product

1. The process of CGSL OS patch for Meltdown/Spectre Vulnerability

According to the released codes from REDHAT open-source community, ZTE CGSL OS team have incorporated into the CGSL V4 / V5 OS version.

OS version

Coding complete time

Kernel patch info

Release status

CGSL V5.04.F2

2018.1.8

atca-drivers-3.4.7-3.cgslv5u4.el7.cgsl2172.x86_64.rpm

cgsl-led-1.0.0-cgslv5u4.el7.cgsl2172.x86_64.rpm

common-disk-drivers-1.0.0-cgslv5u4.el7.cgsl2172.x86_64.rpm

common-nic-drivers-1.0.0-cgslv5u4.el7.cgsl2172.x86_64.rpm

i40e-2.0.30-1.cgslv5u4.el7.cgsl2172.x86_64.rpm

kernel-3.10.0-693.11.6.el7.cgsl2166.x86_64.rpm

Released

CGSL V4.05.F11

2018.1.20

kernel-2.6.32-642.13.1.el6.cgsl7594.x86_64.rpm

kernel-devel-2.6.32-642.13.1.el6.cgsl7594.x86_64.rpm

kernel-headers-2.6.32-642.13.1.el6.cgsl7594.x86_64.rpm

microcode_ctl-1.17-25.2.el6_9.x86_64.rpm

perf-2.6.32-642.13.1.el6.cgsl7594.x86_64.rpm

python-perf-2.6.32-642.13.1.el6.cgsl7594.x86_64.rpm

Released

CGSL V4.02.20.P2.F27

2018.1.26

kernel-devel-2.6.32-220.el6.x86_64.rpm

kernel-2.6.32-220.el6.x86_64.rpm        kernel-headers-2.6.32-220.el6.x86_64.rpm        kernel-firmware-2.6.32-220.el6.noarch.rpm

perf-2.6.32-220.el6.x86_64.rpm

kernel-3.10.0-693.11.6.el7.cgsl2166.x86_64.rpm

kernel-devel-3.10.0-693.11.6.el7.cgsl2166.x86_64.rpm

kernel-headers-3.10.0-693.11.6.el7.cgsl2166.x86_64.rpm

kernel-tools-3.10.0-693.11.6.el7.cgsl2166.x86_64.rpm

kernel-tools-libs-3.10.0-693.11.6.el7.cgsl2166.x86_64.rpm

perf-3.10.0-693.11.6.el7.cgsl2166.x86_64.rpm

python-perf-3.10.0-693.11.6.el7.cgsl2166.x86_64.rpm

As the defect of the upstream manufacturers, suspended patches, not released

2.  CCN product patch validation progress

After the upstream manufacturers give patch, ZTE CCN product teams have start the process of patch test for the NE services.
 currently receive notice from Intel, suspend corresponding test, waiting for Intel give advice to guide next step.

Customer  can visit the zte support web sites (http://support.zte.com.cn) and get vulnerability progress information.
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1008922

Present Vulnerability Security recommendations

ZTE CCN product team advises Customer according to CCN Non-NFV NE Solution for Handling the Meltdown Vulnerability and Spectre Vuln/CCN NFV NE Solution for Handling the Meltdown Vulnerability and Spectre Vuln for system security hardening ,improve the protection ability, resist Trojan attacks, reduce Vulnerability affected probability.

Update Records

Related investigation and analysis upon the vulnerabilities are still ongoing. ZTE’s Telecom Cloud & CN products will update this security notice in a timely manner.

2018-1-8, initial.

2018-1-10, Affected Products and Fixing Plan updated.

2018-1-19, Affected Products and Fixing Plan updated.

2018-2-5, Affected Products and Fixing Plan updated.

ZTE PSIRT

If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.