Vertiv Security Updates for CVE-2017-5715, CVE-2017-5753, CVE-2017-5754, CVE-2018-3639, CVE-2018-3640

Security Bulletin: 
Processor Speculative Execution Vulnerabilities (aka Spectre and Meltdown) in Vertiv products

Updated: 23-May 2018

Summary

The Vertiv security team is actively engaged with security research community to monitor for specific threats, partner with vendors for potential solutions, and mitigate the potential impact of security vulnerabilities to our customers and products. Over the past week, there has been significant press on two hardware based vulnerabilities that affect a large portion of modern processors, including those from Intel, AMD, and ARM-based suppliers. The root of the vulnerability is that modern processors employ speculative execution features to increase overall CPU performance.  Researchers have discovered a flaw in these mechanisms that can allow unauthorized access to the CPU data cache and leak the resulting information contained within. As with any potential security issue, we are actively working through the impact of these vulnerabilities and will be updating products that are susceptible.

Please use the following links for additional technical information on the specific threats:

• CVE-2017-5715
• CVE-2017-5753
• CVE-2017-5754
• CVE-2018-3639
• CVE-2018-3640 

Below is our current assessment and status. We will be actively updating this information as we have more information.

Impact

Products that we believe are not directly impacted:

• UMG 2000/4000: Vertiv believes that currently supported versions of UMG 2000 are not impacted by the presently known variants of these issues.
• ACS 6000: Vertiv believes that currently supported versions of ACS 6000 are not impacted by the presently known variants of these issues.
• ACS 8/16/48: Vertiv believes that currently supported versions of ACS 8/16/48 are not impacted by the presently known variants of these issues.
• MergePoint Unity: Vertiv believes that currently supported versions of MergePoint Unity are not impacted by the presently known variants of these issues.
• Autoview KVM switches: Vertiv believes that currently supported versions of Autoview KVM switches are not impacted by the presently known variants of these issues.
• IntelliSlot Unity cards: Vertiv believes that currently supported versions of IntelliSlot Unity cards are not impacted by the presently known variants of these issues.
• RPC2 Communication Modules; Vertiv believes that currently supported versions of RPC2 Communication Modules are not impacted by the presently known variants of these issues.
• iCOM Control boards: Vertiv believes that currently supported versions of iCOM Control boards are not impacted by the presently known variants of these issues.
• Vertiv RDU-A G2, RDU-SIC G2, RDU-EX, MPI PDU: Vertiv believes that currently supported versions of the listed RDU products are not impacted by the presently known variants of these issues.
• Vertiv NetSure 200/500/700/800/5000/7000/8000/9000/ITS: Vertiv believes that currently supported versions of the listed NetSure products are not impacted by the presently known variants of these issues.
• Vertiv Monitoring Modules M500F/M500D/M500S/M501D/M800D/M810G: Vertiv believes that currently supported versions of the listed monitoring modules are not impacted by the presently known variants of these issues.
• Vertiv Supervision Modules LARGEDU/SMDU/SMDU+/SMDUH/SMDCU: Vertiv believes that currently supported versions of the listed supervision modules are not impacted by the presently known variants of these issues.
• Vertiv Standard Control Units M521B/M522B/M520S/M522S/M526S: Vertiv believes that currently supported versions of the listed standard control units are not impacted by the presently known variants of these issues.
• Vertiv Monitoring Modules M523S/M524S/AEM01/M530S/M530B: Vertiv believes that currently supported versions of the listed monitoring modules are not impacted by the presently known variants of these issues.
• Vertiv Power Supplies M820D/M820N/M820B: Vertiv believes that currently supported versions of the listed power supplies are not impacted by the presently known variants of these issues.
• Vertiv Interface Boards IB1/IB2/EIB: Vertiv believes that currently supported versions of the listed interface boards are not impacted by the presently known variants of these issues.
• Vertiv Monitoring Modules M221S/M222S: Vertiv believes that currently supported versions of the listed monitoring modules are not impacted by the presently known variants of these issues.
• Vertiv Mini Controller M225S: Vertiv believes that currently supported versions of the listed mini controllers are not impacted by the presently known variants of these issues.
• Vertiv NetSure Control Units M830B/M830D/M831A/M831D: Vertiv believes that currently supported versions of the listed NetSure control units are not impacted by the presently known variants of these issues.
• Vertiv HVDC Monitors M822E/PDU1U11/HDU1U11/SMPDU1X1/SMPDU1X2/HDU1R1/HDU1R2/M222R: Vertiv believes that currently supported versions of the listed HVDC monitors are not impacted by the presently known variants of these issues.
• Vertiv System Control Cards M520H/M222B: Vertiv believes that currently supported versions of the listed system control cards are not impacted by the presently known variants of these issues.
• Vertiv Monitoring Modules M521S/ECCU+/FCU+: Vertiv believes that currently supported versions of the listed monitoring modules are not impacted by the presently known variants of these issues.
• Vertiv Battery Control Box BM400V1: Vertiv believes that currently supported versions of the listed battery control box are not impacted by the presently known variants of these issues.
• Alber Battery Monitors BDSU-50 DCM, UXIM/e, UXTM, BDS-40 DCM, BDS-256XL DCM: Vertiv believes that currently supported versions of the listed battery monitors are not impacted by the presently known variants of these issues.
• Geist R-series platform: Vertiv believes that currently supported versions of Geist R-series devices are not impacted by the presently known variants of these issues.
• Geist GU1-series platform: Vertiv believes that currently supported versions of Geist GU1-series devices are not impacted by the presently known variants of these issues.
• Geist GU2-series platform: Vertiv believes that currently supported versions of Geist GU2-series devices are not impacted by the presently known variants of these issues

Products that may require Third Party updates:

• Trellis: Vertiv believes that currently supported versions of Trellis are not impacted by the presently known variants of these issues.  However, is it likely the underlying operating system, drivers, and firmware may require security updates.  Vertiv strongly recommends customers contact their operating system and hardware vendors for applicable updates.
• DSView: Vertiv believes that currently supported versions of Trellis are not impacted by the presently known variants of these issues.  However, is it likely the underlying operating system, drivers, and firmware may require security updates.  Vertiv strongly recommends customers contact their operating system and hardware vendors for applicable updates.
• Aperture: Vertiv believes that currently supported versions of Aperture are not impacted by the presently known variants of these issues.  However, is it likely the underlying operating system, drivers, and firmware may require security updates.  Vertiv strongly recommends customers contact their operating system and hardware vendors for applicable updates.
• iCOM-S: Vertiv believes that currently supported versions of iCOM-S are not impacted by the presently known variants of these issues.  However, is it likely the underlying operating system, drivers, and firmware may require security updates.  Vertiv strongly recommends customers contact their operating system and hardware vendors for applicable updates.

Products that are impacted:

• UMG 6000: The UMG 6000 employs CPUs known to be impacted to the recently disclosed speculative execution functionality vulnerabilities.
• ACS 800: The ACS 800 employs CPUs known to be impacted to the recently disclosed speculative execution functionality vulnerabilities.
• ACS 8000: The ACS 8000 employs CPUs known to be impacted to the recently disclosed speculative execution functionality vulnerabilities.
• Global HMI: The Global HMI employs CPUs known to be impacted to the recently disclosed speculative execution functionality vulnerabilities.
• IoT Gateway: The IoT Gateway employs CPUs known to be impacted to the recently disclosed speculative execution functionality vulnerabilities.
• iCOM Color displays:  The iCOM Color displays employ CPUs known to be impacted to the recently disclosed speculative execution functionality vulnerabilities.  Additionally, the iCOM Color displays take measures to prevent execution of non-supported code, mitigating the issue.
• iCOM-CMS:  The iCOM-CMS employs CPUs known to be impacted to the recently disclosed speculative execution functionality vulnerabilities.  Additionally, the iCOM-CMS takes measures to prevent execution of non-supported code, mitigating the issue.
• RDU300, RDU500, RDU-AT 2, RDU-M: The listed RDU models employs CPU known to be impacted to the recently disclosed speculative execution functionality vulnerabilities.

What is Vertiv doing to address impacted offerings

Vertiv is notifying its customers of these potential security issues and actively deploying updates to affected products as the patches are made available from the processor vendors.