Fujitsu

Fujitsu Continental Europe, Middle East, Africa & India

  1. Home
  2. Support

Intel Q2 Security Update on Side-Channel Analysis Method Vulnerability

Intel Q2 Security Update on Side-Channel
Analysis Method Vulnerability

Fujitsu Communication

Original release:   21.05.2018
Latest Update:27.06.2018
Reference: Security vulnerabilities of microprocessors (CVE-2018-3639, CVE-2018-3640, INTEL-SA-00115)
The vulnerability Variant 4 is a derivative of side channel methods previously disclosed in January.
Like the other variants, Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel. To ensure to offer the option for full mitigation and to prevent this method from being used in other ways, mitigation through a combination of microcode (MCU) and software updates is provided. This update also includes MCUs addressing Variant 3a (Rogue System Register Read), which was previously disclosed. These two MCUs were bundled together to streamline the process for customers. We continue to urge all customers to keep their systems up-to-date.
CVE Reference: (INTEL-SA-00115)
Side-Channel Analysis Method Q2 Update
CVE Number CVSS Comment
CVE-2018-3639 CVSS 4.3, Medium Variant 4: Microcode updates and operating system security patches are needed
CVE-2018-3640 CVSS 4.3, Medium Variant 3a: Only microcode updates are needed
The microcode updates will also include other enhancements to assist software in the mitigation of potential future side-channel security vulnerabilities.
Potential impact:
According to the information provided the potential impact is:

CVE-2018-3639 – Speculative Store Bypass (SSB)
  • Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

CVE-2018-3640 – Rogue System Register Read (RSRE)
  • Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis.
Affected Fujitsu products:
A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.

An overview of the affected Client Computing Devices and PRIMERGY/PRIMEQUEST products can be found here:
List of affected systems

This page will be updated regularly as soon as new information is available.
Beside a list of affected systems, also more detailed advice will follow.

In addition, Fujitsu highly recommends system owners ensure that systems are physically secured where possible, and follow good security practices to ensure that only authorized personnel have hands-on access to devices.
Technical Details:
Technical details of the exploits are documented online:
Fujitsu BS2000 Products
BS2000 Mainframes using /390 processors are not affected by this security issue.
Some of the BS2000 Mainframes use Intel processors. However, they are neither affected, as they run only system software provided by Fujitsu. The system software transforms user-created BS2000 applications into x86 programs. As a result, users cannot run their own x86 code to exploit the flaws. BS2000 systems are therefore safe and secure even without additional security patches.
For some optional BS2000 server components, such as Application Units, customers use other operating systems or hypervisors than BS2000 or VM2000. These customers should promptly deploy the patches provided by the respective manufacturer.
Fujitsu continues to monitor potential security issues for BS2000 products.
Update via BIOS:
Step 1:Determine whether you have an affected system.
 Refer to the list of affected Fujitsu systems. This list is updated regularly.
 Before proceeding, please check the expected availability of the relevant BIOS update package.
Step 2:Download and install the BIOS update package.
  To install and download the BIOS update package, please go to the Fujitsu support page and follow these steps:
  • Select "Browse for Product"
  • Select "product line"
  • Select "product group" and "product family"
  • Download and install the latest BIOS update package
Selected links for operating system patches:
Microsoft
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180013
Important Hint:
To enable the Operating System mitigations around Speculative Store Bypass (CVE-2018-3639) together with mitigations around Spectre Variant 2 (CVE-2017-5715) and Meltdown (CVE-2017-5754) dedicated registry settings are necessary, because they are not enabled by default.
For details please refer to the following Microsoft Web-Site:
https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
Oracle
https://blogs.oracle.com/oraclesecurity/
Red Hat
https://www.redhat.com/en/topics/security
Suse
https://www.suse.com/c/suse-addresses-spectre-variant-4/
VMware
https://kb.vmware.com/s/article/54951
Should you require any further information, please contact: G02D-psirt@ts.fujitsu.com.
Note:
Fujitsu does not manufacture the affected microprocessors that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors. Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects resulting from customers’ use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.
Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites.
Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.