Security Notice - Statement about Meltdown and Spectre Vulnerabilities

On January 2, 2018, the Google security team announced the “Meltdown" (CVE-2017-5754) and “Spectre”(CVE-2017-5715/CVE-2017-5753) A-level vulnerabilities on Intel CPU chips. 

In some circumstances, a local attacker could exploit these vulnerabilities to read memory information belonging to other OS kernel or other processes.

Meltdown vulnerability destroys the basic isolation between the user program and the operating system, allowing unauthorized disclosure of information to an attacker with local user access via a side-channel analysis of the data cache.

Spectre vulnerability undermines the security isolation between different applications, allowing unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

After receiving the notification of security vulnerability on the night of January 3, 2018, ZTE drew back key staffs from projects such as CGSL, VPlat and CGEL and immediately set up an emergency response team to start analyzing, actively communicating with relevant CPUs and operating system vendors. Combined with the security architecture of NFV/Non-NFV Network for the Meltdown/Spectre vulnerability  threat analysis, ZTE determined the risk level, communicated with related CPU and OS suppliers, closely tracked the treatment scheme of the upstream suppliers, and finished the system test, confirming the impact of patches for systems Services.

The two vulnerabilities are widespread:
    Processor Chips: Intel, ARM, and other processors are affected
    OS: Windows, Linux, macOS, Android;
    Cloud service providers: Amazon, Microsoft, Google, Tencent Cloud, Alibaba Cloud, etc.
    Various private cloud infrastructure;
    Desktop users 
We confirm that the following CCN products are affected by the vulnerabilities,

1. The process of Intel CPU Fireware patch

Jan. 22. 2018: Root Cause of Reboot Issue Identified; Updated Guidance for Customers and Partners
Jan. 17. 2018: Firmware Updates and Initial Performance Data for Data Center Systems (Includes performance data results)
Jan. 11. 2018: Intel Security Issue Update: Addressing Reboot Issues
Jan. 10. 2018: Intel Security Issue Update: Initial Performance Data Results for Client Systems (Includes performance data results)
Jan. 9. 2018: Intel Offers Security Issue Update
Jan. 4. 2018: Intel Issues Updates to Protect Systems from Security Exploits
Intel Statement: https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
Notice:
Jan.23.2018: Intel have closed the version downloading of the Vulnerability 
We recommend that OEMs, cloud service providers, system manufacturers, software vendors and end users stop deployment of current versions, as they may introduce higher than expected reboots and other unpredictable system behavior。

2. The process of RHEL kernel patch from Redhat 

Jan. 4. 2018: the  Update of Kernel is available for Red Hat Enterprise Linux 6.2  
Jan. 4. 2018: the  Update of Kernel is available for Red Hat Enterprise Linux 6.7  
Jan. 3. 2018: the  Update of Kernel is available for Red Hat Enterprise Linux 7 

1. The process of CGSL OS patch for Meltdown/Spectre Vulnerability

According to the released codes from REDHAT open-source community, ZTE CGSL OS team have incorporated into the CGSL V4 / V5 OS version.

2.  CCN product patch validation progress

After the upstream manufacturers give patch, ZTE CCN product teams have start the process of patch test for the NE services.
 currently receive notice from Intel, suspend corresponding test, waiting for Intel give advice to guide next step.

Customer  can visit the zte support web sites （http://support.zte.com.cn） and get vulnerability progress information.
http://support.zte.com.cn/support/news/LoopholeInfoDetail.aspx?newsId=1008922

ZTE CCN product team advises Customer according to CCN Non-NFV NE Solution for Handling the Meltdown Vulnerability and Spectre Vuln/CCN NFV NE Solution for Handling the Meltdown Vulnerability and Spectre Vuln for system security hardening ,improve the protection ability, resist Trojan attacks, reduce Vulnerability affected probability.

Related investigation and analysis upon the vulnerabilities are still ongoing. ZTE’s Telecom Cloud & CN products will update this security notice in a timely manner.

2018-1-8, initial.

2018-1-10, Affected Products and Fixing Plan updated.

2018-1-19, Affected Products and Fixing Plan updated.

2018-2-5, Affected Products and Fixing Plan updated.

If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.