This week Dell and HP are playing the Hokey Pokey on the BIOS updates: “Put your BIOS update in, take your BIOS update out”. Maybe don’t shake it all about. But all joking aside, Dell and HP published alerts that there are issues with the BIOS patches designed to mitigate the Meltdown and Spectre vulnerabilities.
See below for more details from Dell and HP:
Dell
According to Dell’s site, “Intel has communicated new guidance regarding ‘reboot issues and unpredictable system behavior’ with the microcode included in the BIOS updates released to address Spectre (Variant 2), CVE-2017-5715. Dell is advising that all customers should not deploy the BIOS update for the Spectre (Variant 2) vulnerability at this time. We have removed the impacted BIOS updates from our support pages and are working with Intel on a new BIOS update that will include new microcode from Intel.”
For those who have rolled this BIOS update out already, Dell suggests reverting back to a previous BIOS version.
HP
HP has a similar notice on their website.
“In response to Intel’s recommendation, HP is taking the following actions:
- HP is removing HP BIOS softpaqs with Intel microcode patches from hp.com.
- HP will be reissuing HP BIOS softpaqs with previous Intel microcode starting January 25, 2018.
- Once Intel reissues microcode updates, HP will issue revised Softpaqs.
HP is working closely with our partners, and updates will be made as soon as possible. Check this Security Bulletin frequently for updates.”
HP also recommends ensuring your antivirus software and its definitions are up to date before installing the Windows OS update.
Intel
These BIOS updates both stem from an issue with Intel’s patch, which was discovered when updated systems experienced higher than expected reboots along with other unpredictable system behavior. Intel, like Dell and HP, urges everyone to stop deploying these versions, roll back if you already have, and stay current for when a corrected patch releases.
A Note to the Admin
As any seasoned IT professional would expect, with such a rushed and broad rollout of these updates, some new issues have been discovered. Many clients do not have a stockpile of servers just to test on outside of production. However, like any updates, we recommend you deploy out of production first. If you had no choice, there is a rollback option for those BIOS updates.
Many IT professionals took this opportunity and downtime window to patch other firmware and drivers on the servers. I would still recommend doing so, again in a test environment before production when possible. Many other vulnerabilities and issues are addressed in those as well. This doesn’t mean you should wait six months before even looking at this, though. Malicious code is being written in a flurry to exploit these vulnerabilities. You can still patch your operating systems for the flaw.
Keep in mind this will be an ongoing patch process for almost everything with an LED or chip and a driver for years, so stay vigilant! Just because one window is open, don’t unlock the doors and open the other windows.