Fujitsu

Fujitsu Continental Europe, Middle East, Africa & India

  1. Home
  2. Support

Intel Firmware vulnerability INTEL-SA-00112 and INTEL-SA-00118


Intel® Management Engine Security Reviews

Fujitsu Communication

Original release:   11.07.2018


Reference: Intel security vulnerabilities (INTEL-SA-00112 and INTEL-SA-00118)
In an effort to continuously improve the robustness of the Intel® Management Engine, Intel has performed a security review of their Intel® Management Engine (ME) with the objective of continuously enhancing firmware resilience.
As a result, Intel has identified several security vulnerabilities that could potentially place affected Intel® Active Management Technology platforms at risk. Intel highly recommends that all customers install updated firmware on affected platforms.
For more detailed information related to the vulnerabilities, please refer to the Intel web site:
https://security-center.intel.com/


Intel® Active Management Technology 9.x/10.x/11.x Security Review Cumulative Update

CVE Reference (INTEL-SA-00112):
Intel® Active Management Technology 3.x,4.x,5.x,6.x,7.x,8.x,9.x, 10.x, 11.x
CVE NumberCVSS
CVE-2018-3628CVSS 8.1
CVE-2018-3629CVSS 7.5
Intel® Manageability Engine Firmware 6.x/7.x/8.x/9.x/10.x/11.0/11.5/11.6/11.7/11.10/11.20
CVE NumberCVSS
CVE-2018-3632CVSS 6.4
Description:
  • A buffer overflow may allow an attacker to execute arbitrary code or to cause a denial of service via the same subnet.
  • Memory corruption could be triggered by an attacker who has local administrator permissions on a system.
Intel-Support:
Intel® AMT versionCVE-2018-3628CVE-2018-3629CVE-2018-3632
11.xMitigatedMitigatedMitigated
10.xMitigatedMitigatedMitigated
9.xMitigatedMitigatedMitigated
8.xEnd of MaintenanceEnd of MaintenanceEnd of Maintenance
7.xEnd of MaintenanceEnd of MaintenanceEnd of Maintenance
6.xEnd of SupportEnd of SupportEnd of Support
5.xEnd of SupportEnd of SupportEnd of Support
4.xEnd of SupportEnd of SupportEnd of Support
3.xEnd of SupportEnd of SupportEnd of Support


Intel® Management Engine 11.x issue

CVE Reference (INTEL-SA-00118):
Intel® Management Engine ME 11.x
CVE NumberCVSS
CVE-2018-3627CVSS 7.5
Description:
A logic bug may allow an attacker to execute arbitrary code via local privileged access.
Affected Fujitsu products:
A number of Fujitsu products are affected by the vulnerabilities identified in the above mentioned Intel® firmware versions.

An overview can be found here:
List of affected Fujitsu systems

Fujitsu strongly recommends that all customers should install updated firmware / BIOS on impacted platforms. The update process and remediation steps are outlined below.
Recommended steps for remediation:
Step 1: Determine if your system is impacted.
Consult the list of affected Fujitsu systems. This list is updated regularly.

Check the expected availability of the BIOS update package.

Step 2: When available, download and install the BIOS update package.
To install and download the BIOS or firmware update package, please go to Fujitsu support page and proceed with the following actions:
  • Select “Browse for Product”.
  • Select “product line”.
  • Select “product group” and “product family”.
  • Select “operating system”.
  • Download and install the latest BIOS update package
    Should you require any further information at this stage, please contact:
    G02D-psirt@ts.fujitsu.com.
Note:
Fujitsu does not manufacture the affected microprocessors that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors. Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects resulting from customers’ use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.
Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites.
Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.