Fujitsu

Fujitsu Continental Europe, Middle East, Africa & India

  1. Home
  2. Support

Intel® Converged Security Management Engine (Intel® CSME) & Power Management Controller (PMC) Security Vulnerability Q2’2018 Security Release; September 2018


Intel® Converged Security Management Engine
(Intel® CSME) Q2’2018 Security Release
&
Power Management Controller (PMC) Security Vulnerability
in Systems using specific Intel® Converged Security and
Management Engine (CSME) or Intel® Server Platform
Services firmware versions

Fujitsu Communication

Original release:   11.09.2018


Potential Exposure of Intel® CSME assets through physical access: (CVE-2018-3655, INTEL-SA-00125)
Intel was notified of an issue with the Intel® Converged Security and Management Engine (Intel® CSME) firmware. An attacker with physical access could do the following on an individual platform:
  • Bypass Intel® CSME anti-replay protection, thus allowing potential brute force attacks on secrets stored inside the Intel CSME;
  • Gain unauthorized access to the Intel® MEBX password
  • Tamper with the integrity of the Intel® CSME file system directories or the Server Platform Services and Trusted Execution Environment (Intel® TXE) data files.
  • Mitigations described in INTEL-SA-00086 do not prevent the issue since an attacker with physical access to the system may be able to roll back to an earlier Intel CSME firmware affected by CVE-2017-5705, CVE-2017-5706 and CVE-2017-5707.
The issue has been identified as a vulnerability in the Intel® CSME firmware on versions: 11.0 thru 11.8.50; 11.10 thru 11.11.50; 11.20 thru 11.21.50, 12.03, Intel® Server Platform Services firmware version 4.x (on Purley and Bakerville only) and Intel® TXE version 3.x.
Systems using Intel® CSME firmware versions prior to 11.0/ Intel® Server Platform Services 4.0/TXE 3.0 or using firmware versions 11.8.55/11.11.55/11.21.55/ Intel® Server Platform Services 4.x.05/ Intel® Server Platform Services 5.0 and higher/TXE 3.1.55, do not contain the identified vulnerability.

A release of mitigations for Intel® Active Management Technology (Intel® AMT) security vulnerabilities (CVE-2018-3657, CVE-2018-3658, CVE-2018-3616, INTEL-SA-00141)
This release contains firmware updates for Intel® AMT security vulnerabilities found internally by Intel:
  • Buffer overflows in Intel® AMT may allow a privileged attacker to execute arbitrary code with Intel® AMT execution privilege via local access;
  • Memory leaks in Intel® AMT may allow an unprivileged attacker with Intel® AMT provisioned to cause a partial denial of service via network access.
Affected Intel® CSME firmware versions: 11.0 thru 11.8.50; 11.10 thru 11.11.50; 11.20 thru 11.21.50; 12.0 and 12.0.3. Intel has released new firmware updates that address the vulnerabilities. The first firmware update on each branch with the vulnerability addressed is: 11.8.55, 11.11.55, 11.21.55, 12.0.5.

Intel® Active Management Technology 9.x/10.x/11.x/12.0 ROBOT TLS issue (CVE-2018-3616, INTEL-SA-00141)
In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 v1.5 padding allowed an adaptive-chosen cipher text attack. Nineteen years later, security researchers discovered that by using some slight variations, this vulnerability can still be used against many HTTPS hosts in today's Internet. The researchers dubbed it the Return Of Bleichenbacher Oracle, the ROBOT attack (https://robotattack.org/ ). This updated ROBOT attack affects the confidentiality of Seamless Remote Attestation with Transport Layer Security (TLS) when used with RSA encryption.

A release of mitigations for Intel® Platform Trusted Technology (Intel® PTT) security vulnerabilities (CVE-2018-3659, INTEL-SA-00142)
A logic issue was discovered internally in the Intel® PTT module that allows an attacker to uncover certain Intel® PTT secrets via physical access.
  • Affected firmware versions: Intel® CSME 12.0 and 12.0.3 and Intel® TXE 3.0;
  • Intel has released new firmware updates that address the vulnerability. The first firmware update on each branch with the vulnerability addressed is: 12.0.5 and TXE 3.1.55.

Potential Impact:
According to the information provided the potential impact is:

Elevation of Privilege / Information Disclosure / Denial of Service


Power Management Controller (PMC) Security Vulnerability (CVE-2018-3643, INTEL-SA-00131)
A vulnerability in Power Management Controller firmware in systems using specific Intel® converged Security and Management Engine (CSME) or Intel® Server Platform Services firmware versions allows an attacker with administrative privileges to uncover certain platform secrets via local access.

Potential Impact:
According to the information provided the potential impact is:

Elevation of Privilege / Information Disclosure

CVE Reference (INTEL-SA-00125, INTEL-SA-00131, INTEL-SA-00141, INTEL-SA-00142):
Intel® Converged Security Management Engine (CSME)
Power Management Controller (PMC)
CVE NumberCVSS
CVE-2018-3616CVSS 7.4 (M)
CVE-2018-3643CVSS 8.2 (H)
CVSS 4.6 (M)
CVE-2018-3655CVSS 7.5 (H)
CVE-2018-3657CVSS 6.7 (M)
CVE-2018-3658CVSS 5.3 (M)
CVE-2018-3659CVSS 6.8 (M)
Affected Fujitsu products:
A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.

An overview of the affected Client Computing Devices and PRIMERGY/PRIMEQUEST products can be found here:
List of affected Fujitsu systems

This page will be updated regularly as soon as new information is available.
Beside a list of affected systems, also more detailed advice will follow.

Technical Details:
Technical details of the exploits are documented online:
Update via BIOS:
Step 1: Determine whether you have an affected system.
Refer to the list of affected systems. This list is updated regularly.

Before proceeding, please check the expected availability of the relevant BIOS update package.

Step 2: Download and install the BIOS update package.
To install and download the BIOS update package, please go to the Fujitsu support page and follow these steps:
  • Select “Browse for Product”
  • Select “product line”
  • Select “product group” and “product family”.
  • Download and install the latest BIOS update package
Step 3: Use the Intel-SA-00125 Detection Tool to verify that the issue has been remediated.


Update the Management Engine (ME) Firmware (might be available only for some Client Computing Devices products):
Updating the ME firmware is an alternative to updating the BIOS and used when a BIOS update is not planned.
Step 1: Determine whether you have an affected system.
Refer to the list of affected systems. This list is updated regularly.

Before proceeding, please check the expected availability of the relevant ME update package.

Step 2: Download the ME update package.
To download the ME update package, please go to the Fujitsu support page and follow these steps:
  • Select “Browse for Product”
  • Select “product line”
  • Select “product group” and “product family”.
  • Download the latest ME update package
Step 3: Preparation.
After downloading the *.zip file containing the ME Firmware Update Pack extract all files/folders/subfolders in the Firmware.ME folder (\Firmware.ME) of the zip file to the desired directory on the hard drive.

Step 4: ME Update Procedure.
"Firmware.ME" contains the ME update files which can be used in Windows environment. Run "update.bat" in Windows cmd environment with administrative privileges to start the ME flash procedure. Please choose 32-bit or 64-bit folder if using a Windows 32-bit or a Windows 64-bit installation.

Hints:
  • To run the ME Update procedure using a Windows installation, it is necessary to have the Windows "HECI" driver installed. Please use the Intel(R) Active Management Technology Driver package for Windows.
  • To run the ME Update procedure using a Windows PE installation, it is necessary to have the Windows "HECI" driver installed. This can be done at runtime by "drvload.exe< Path to HECI.INF>\HECI.INF". The "HECI" driver can be extracted from the Intel(R) Active Management Technology Driver package for Windows.

Should you require any further information, please contact: G02D-psirt@ts.fujitsu.com.

Note:
Fujitsu does not manufacture the affected microprocessors that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors. Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects resulting from customers’ use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.
Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites.
Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.