Fujitsu PSIRT — Security Advisories (2018)
2018.3 INTEL QUARTERLY SECURITY RELEASE (QSR)
Intel 2018.3 QSR covering Intel® SGX and Intel® Processor Microcode (MCU) updates (Intel® Speculative Execution Side Channel Update / L1 Terminal Fault (L1TF))
|Speculative execution side-channel method called L1 Terminal Fault (L1TF): (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646, INTEL-SA-00161)|
This method impacts select microprocessor products supporting Intel® Software Guard Extensions (Intel® SGX). Further investigation by Intel has identified two related applications of L1TF with the potential to impact additional microprocessors, operating systems, system management mode, and virtualization software. If used for malicious purposes, this class of vulnerability has the potential to improperly infer data values from multiple types of computing devices.|
|CVE Reference (CVE-2018-3615, CVE-2018-3620, CVE-2018-3646):|
|CERT Vulnerability Notes Database Reference: (VU#982149)|
|Our supplier Intel has worked with operating system vendors, equipment manufacturers, and other ecosystem partners to develop platform firmware and software updates that can help protect systems from these methods.|
This includes the release of updated Intel microprocessor microcode to our customers and partners. This microcode was previously released as part of INTEL-SA-00115.
Please refer to our already published web page:
Intel Q2 Security Update on Side-Channel Analysis Method Vulnerability
|Affected Fujitsu products:|
A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.|
An overview of the affected Client Computing Devices and PRIMERGY/PRIMEQUEST products can be found here:
List of affected systems
This page will be updated regularly as soon as new information is available.
In addition, Fujitsu highly recommends system owners ensure that systems are physically secured where possible, and follow good security practices to ensure that only authorized personnel have hands-on access to devices.
Technical details of the exploits are documented online:
|Selected links for operating system patches:|
|Should you require any further security-related assistance, please contact: Fujitsu-PSIRT@ts.fujitsu.com.|
Fujitsu does not manufacture the affected microprocessors, that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors.|
Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects, resulting from customers’ use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.
Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites.
Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.