HPE Community
Servers - General
1824218 Members
3518 Online
109669 Solutions
New Discussion

Spectre v2 0 - Branch Target Injection

 
Neko-
Advisor

‎04-11-2022 02:52 AM - last edited on ‎04-20-2022 05:08 PM by

‎04-11-2022 02:52 AM - last edited on ‎04-20-2022 05:08 PM by

Spectre v2 0 - Branch Target Injection

We were alerted to a new variation of Spectre which was discovered on the 11th of March. We only got around to investigating this further today. 

See hxxps://download.vusec.net/papers/bhi-spectre-bhb_sec22.pdf for a PDF describing the vunerability. 

I wanted to check if our servers (Intel based - Windows OS) were potentially vunerable to this flaw, but I wasn't able to find anything specifically on this on the HP website, hence my posting this question to the forums to see if anyone has further insight in this. 

Intel does have a listing of the vunerability it seems: hxxps://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00598.html

From that list it seems some of our servers are vunerable

For the interested ones:

ARM: hxxps://developer.arm.com/Arm%20Security%20Center/Speculative%20Processor%20Vulnerability
AMD: hxxps://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1036

Does anyone have any insight in this issue, and potential fixes (if applicable) or a timeframe in which further information might become available? 

I reject your reality, and substitute my own - Adam Savage
0 Kudos
Reply
8 REPLIES 8
TVVJ
HPE Pro

‎04-12-2022 09:45 PM

‎04-12-2022 09:45 PM

Re: Spectre v2 0 - Branch Target Injection

Hello,

Please review the following to see if it is of any help to you:

Regards,



I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[All opinions expressed here are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
Reply
Neko-
Advisor

‎04-13-2022 12:08 AM

‎04-13-2022 12:08 AM

Re: Spectre v2 0 - Branch Target Injection

Thanks for the links.

The Intel link I provided lists the CVE as CVE-2022-0001 and CVE-2022-0002. 

Unfortunatly both CVE numbers do not appear in the linked documents, so as such I suspect the issue is not yet addressed by HP, or atleast not in a way that's acceptable for public release. 

If you feel my assessment above to be in error, let me know. 

I reject your reality, and substitute my own - Adam Savage
0 Kudos
Reply
ManBha
HPE Pro

‎04-17-2022 08:58 PM

‎04-17-2022 08:58 PM

Re: Spectre v2 0 - Branch Target Injection

Hello,

 

Hope this helps.

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00120727en_us

 

Thanks.

I work for HPE.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
Reply
Neko-
Advisor

‎04-18-2022 12:21 PM

‎04-18-2022 12:21 PM

Re: Spectre v2 0 - Branch Target Injection

That issue seems to adress an ESXi vunerability.

We are currently not using any ESXi machines within our network, and I'm only facing Windows machines. While the majority of them are on a VM platform (not VMWare), those are hosted on physical servers that are not HPE. I'm working with that vendor to get those adressed. Their take is that Inlet/AMD has to release certain microcode for the CPU first before they can further address or finalize the impact on their software. So I'm guessing that would hold true for HPE the same. 

The HPE servers that we do have all run a physical copy of Windows with no hypervising taking place on any of them . 

In the mean time for two Dell servers we have, I posted the question to Dell, who came back with the statement that Microsoft may have this sorted already: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-22001

Now that link concerns CVE-2022-22001, while the vunerability addressed here got the CVE-2022-0001... So I'm a bit skeptical that these CVE's are actually referring to the same. 

 

I reject your reality, and substitute my own - Adam Savage
0 Kudos
Reply
ManBha
HPE Pro

‎04-19-2022 04:51 PM

‎04-19-2022 04:51 PM

Re: Spectre v2 0 - Branch Target Injection

Hello,

 

This might be addressed in the future version of BIOS.

 

Thanks.

I work for HPE.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]

Accept or Kudo
Reply
Neko-
Advisor

‎04-19-2022 11:59 PM

‎04-19-2022 11:59 PM

Re: Spectre v2 0 - Branch Target Injection

I'm figuring this requires waiting for both Intel and AMD to release microcode to fix the vunerability, and then HPE to subsequently create a new BIOS to support the microcode. 

Guess we'll have to revisit this thread in about a month to see if there are any updates on the Intel/AMD (and by extension HPE) front... 

Thanks so far for all feedback. It's appreciated  

I reject your reality, and substitute my own - Adam Savage
0 Kudos
Reply
Neko-
Advisor

‎05-25-2022 12:34 AM

‎05-25-2022 12:34 AM

Re: Spectre v2 0 - Branch Target Injection

Just popping in to see if any further microcode mitigations hae been released by Intel/AMD, and subsequently have been incorporated by HP for use in their BIOS. 

 

Looking forward to hearing from anyone on this. 

I reject your reality, and substitute my own - Adam Savage
0 Kudos
Reply
Neko-
Advisor

‎06-27-2022 02:24 AM

‎06-27-2022 02:24 AM

Re: Spectre v2 0 - Branch Target Injection

No further updates regarding this vunerability have come to light? 

I reject your reality, and substitute my own - Adam Savage
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.