Benutzer:MathiasMahnke/Hardware Verwundbarkeit 2019: Unterschied zwischen den Versionen
Aus Opennet
(Microcode Update alle Server abgeschlossen) |
|||
(64 dazwischenliegende Versionen von einem Benutzer werden nicht angezeigt) | |||
Zeile 1: | Zeile 1: | ||
− | Analog [[Benutzer:MathiasMahnke/Hardware Verwundbarkeit 2018]] sind Verwundbarkeiten | + | Analog [[Benutzer:MathiasMahnke/Hardware Verwundbarkeit 2018|2018]] sind Verwundbarkeiten unserer eingesetzten Hardware für Server vorhanden. Status der Aktualisierungen 05/2019: |
{| {{prettytable}} | {| {{prettytable}} | ||
− | |||
− | |||
− | |||
− | |||
! | ! | ||
+ | !CPU Microcode | ||
+ | !IPMI | ||
+ | !BIOS | ||
+ | !UEFI | ||
+ | !OS Driver Pack | ||
+ | !NIC | ||
+ | !SAS/RAID | ||
+ | !QEMU | ||
+ | !libvirt | ||
|- | |- | ||
− | ! | + | !Dell R330 |
− | |3. | + | |3.20190618.1 |
− | |2.63.60.61 | + | |2.63.60.61 |
|2.6.1 | |2.6.1 | ||
− | | | + | |4239A36 |
+ | |18.12.04 | ||
+ | |21.40.9 | ||
+ | |25.5.5.0005 | ||
+ | |1:2.8+dfsg-6+deb9u7 | ||
+ | |3.0.0-4+deb9u4 | ||
|- | |- | ||
− | |ryoko | + | |[[Server/ryoko]] |
− | |OK ( | + | |OK (0xca) - E3-1270v6 |
|OK | |OK | ||
− | | | + | |OK |
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |- | ||
+ | |[[Server/aqua]] | ||
+ | |OK (0xd6) - E3-1270v5 | ||
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |- | ||
+ | |[[Server/tamago]] | ||
+ | |OK (0xca) - E3-1270v6 | ||
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |OK | ||
+ | |- | ||
+ | !Dell SC1435 | ||
+ | |3.20160316.3 | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
| | | | ||
+ | |- | ||
+ | |[[Server/titan]] | ||
+ | |OK (0x10000db) - Opt. 2376 | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | |N/A | ||
+ | |N/A | ||
+ | |- | ||
+ | !Mietserver (Fujitsu) | ||
+ | |3.20190618.1 | ||
+ | | | ||
+ | |1.19.0.SR.1 | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | |- | ||
+ | |[[Server/akito]] | ||
+ | |OK (0xca) - i7-7700 | ||
+ | |unbekannt | ||
+ | |OK (Spectre v4, no MDS) | ||
+ | |unbekannt | ||
+ | |unbekannt | ||
+ | |unbekannt | ||
+ | |unbekannt | ||
+ | |OK | ||
+ | |OK | ||
|- | |- | ||
|} | |} | ||
− | + | Alle Opennet Server incl. VMs haben ein Kernel Update zu 4.9.168-1+deb9u2 erhalten. | |
− | * MDS: https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html | + | |
+ | Informationen: | ||
+ | * Dell-EMC: https://www.dell.com/support/home/us/en/04/product-support/product/poweredge-r330/drivers | ||
+ | * Hetzner: https://wiki.hetzner.de/index.php/CPU_vulnerabilities_based_on_Spectre_and_Meltdown | ||
+ | * MDS (auch unter "ZombieLoad" bekannt): | ||
+ | ** https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html | ||
+ | ** https://www.kernel.org/doc/html/latest/admin-guide/hw-vuln/mds.html | ||
+ | * QEMU MDS: https://www.debian.org/security/2019/dsa-4454 | ||
Kontrolle: | Kontrolle: | ||
− | * Intel Microcode: | + | * Intel Microcode: |
+ | journalctl -b -k | grep microcode | ||
+ | cat /sys/devices/system/cpu/vulnerabilities/* | ||
* iDRAC Firmware und BIOS: HTTPS <hostname>-ipmi.on > Server-Informationen | * iDRAC Firmware und BIOS: HTTPS <hostname>-ipmi.on > Server-Informationen | ||
+ | * OS Driver, NIC, SAS RAID: via LifeCycle Controller, erreichbar über HTTPS <hostname>-ipmi.on > Virtuelle Console > Serverboot Menu > F10 | ||
+ | |||
+ | Quellen: | ||
+ | * iDRAC-with-Lifecycle-Controller_Firmware_40T1C_WN32_2.63.60.61_A00.EXE und BIOS_TCC0H_WN64_2.6.1.EXE, eingespielt via IPMI | ||
+ | * OS Driver, NIC, SAS RAID: via LifeCycle Controller Download von ''ftp.dell.com'' (Server NIC1 muss passend zum Standort konfiguriert sein, Static IP bzw. DHCP / DHCPv6) | ||
+ | * Intel Microcode: ''intel-microcode'' via Debian Apt Repository (non-free, contrib) | ||
+ | * Hetzner HW: https://wiki.hetzner.de/index.php/Spectre_and_Meltdown_Firmware_Updates#Update_Script |
Aktuelle Version vom 15. Dezember 2019, 09:18 Uhr
Analog 2018 sind Verwundbarkeiten unserer eingesetzten Hardware für Server vorhanden. Status der Aktualisierungen 05/2019:
CPU Microcode | IPMI | BIOS | UEFI | OS Driver Pack | NIC | SAS/RAID | QEMU | libvirt | |
---|---|---|---|---|---|---|---|---|---|
Dell R330 | 3.20190618.1 | 2.63.60.61 | 2.6.1 | 4239A36 | 18.12.04 | 21.40.9 | 25.5.5.0005 | 1:2.8+dfsg-6+deb9u7 | 3.0.0-4+deb9u4 |
Server/ryoko | OK (0xca) - E3-1270v6 | OK | OK | OK | OK | OK | OK | OK | OK |
Server/aqua | OK (0xd6) - E3-1270v5 | OK | OK | OK | OK | OK | OK | OK | OK |
Server/tamago | OK (0xca) - E3-1270v6 | OK | OK | OK | OK | OK | OK | OK | OK |
Dell SC1435 | 3.20160316.3 | ||||||||
Server/titan | OK (0x10000db) - Opt. 2376 | N/A | N/A | ||||||
Mietserver (Fujitsu) | 3.20190618.1 | 1.19.0.SR.1 | |||||||
Server/akito | OK (0xca) - i7-7700 | unbekannt | OK (Spectre v4, no MDS) | unbekannt | unbekannt | unbekannt | unbekannt | OK | OK |
Alle Opennet Server incl. VMs haben ein Kernel Update zu 4.9.168-1+deb9u2 erhalten.
Informationen:
- Dell-EMC: https://www.dell.com/support/home/us/en/04/product-support/product/poweredge-r330/drivers
- Hetzner: https://wiki.hetzner.de/index.php/CPU_vulnerabilities_based_on_Spectre_and_Meltdown
- MDS (auch unter "ZombieLoad" bekannt):
- QEMU MDS: https://www.debian.org/security/2019/dsa-4454
Kontrolle:
- Intel Microcode:
journalctl -b -k | grep microcode cat /sys/devices/system/cpu/vulnerabilities/*
- iDRAC Firmware und BIOS: HTTPS <hostname>-ipmi.on > Server-Informationen
- OS Driver, NIC, SAS RAID: via LifeCycle Controller, erreichbar über HTTPS <hostname>-ipmi.on > Virtuelle Console > Serverboot Menu > F10
Quellen:
- iDRAC-with-Lifecycle-Controller_Firmware_40T1C_WN32_2.63.60.61_A00.EXE und BIOS_TCC0H_WN64_2.6.1.EXE, eingespielt via IPMI
- OS Driver, NIC, SAS RAID: via LifeCycle Controller Download von ftp.dell.com (Server NIC1 muss passend zum Standort konfiguriert sein, Static IP bzw. DHCP / DHCPv6)
- Intel Microcode: intel-microcode via Debian Apt Repository (non-free, contrib)
- Hetzner HW: https://wiki.hetzner.de/index.php/Spectre_and_Meltdown_Firmware_Updates#Update_Script