Product
Support
PANIER DE
TÉLÉCHARGEMENT

2020.2 INTEL PLATFORM UPDATE (IPU)





Intel 2020.2 IPU covering Intel® CSME, SPS, TXE, AMT, ISM & DAL updates, Intel® Firmware (BIOS) updates, Intel® Processor Microcode (MCU) updates

Fujitsu Communication

Original release:   November 10, 2020
Last update:December 10, 2020
Fujitsu PSIRT ID:PSS-IS-2020-061817


Advisory Description

INTEL-SA-00391: 2020.2 IPU – Intel® CSME, SPS, TXE, AMT, ISM & DAL Advisory
Multiple potential security vulnerabilities in Intel® Converged Security and Management Engine (Intel® CSME), Server Platform Services (Intel® SPS), Trusted Execution Engine (Intel® TXE), Intel® Active Management Technology (Intel® AMT) (including Intel® Standard Manageability (ISM)) and Intel® Dynamic Application Loader (Intel® DAL) may allow a denial of service, information disclosure or an escalation of privilege. The detailed description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:
  • CVE-2020-8752: Out-of-bounds write in IPv6 subsystem for Intel® AMT, Intel® ISM versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable escalation of privileges via network access.
  • CVE-2020-8753: Out-of-bounds read in DHCP subsystem for Intel® AMT, Intel® ISM versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable information disclosure via network access.
  • CVE-2020-12297: Improper access control in Installer for Intel® CSME Driver for Windows versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel® TXE 3.1.80 and 4.0.30 may allow an authenticated user to potentially enable escalation of privileges via local access.
  • CVE-2020-8745: Insufficient control flow management in subsystem for Intel® CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel® TXE versions before 3.1.80 and 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.
  • CVE-2020-8744: Improper initialization in subsystem for Intel® CSME versions before 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel® TXE versions before 4.0.30 Intel® SPS versions before E3_05.01.04.200 may allow a privileged user to potentially enable escalation of privilege via local access.
  • CVE-2020-8705: Insecure default initialization of resource in Intel® Boot Guard in Intel® CSME versions before 11.8.82, 11.12.82, 11.22.82, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel® TXE versions before 3.1.80 and 4.0.30, Intel® SPS versions before E5_04.01.04.400, E3_04.01.04.200, SoC-X_04.00.04.200 and SoC-A_04.00.04.300 may allow an unauthenticated user to potentially enable escalation of privileges via physical access.
  • CVE-2020-8750: Use after free in Kernel Mode Driver for Intel® TXE versions before 3.1.80 and 4.0.30 may allow an authenticated user to potentially enable escalation of privilege via local access.
  • CVE-2020-12303: Use after free in DAL subsystem for Intel® CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70, 13.0.40, 13.30.10, 14.0.45 and 14.5.25, Intel® TXE 3.1.80 and 4.0.30 may allow an authenticated user to potentially enable escalation of privileges via local access.
  • CVE-2020-8757: Out-of-bounds read in subsystem for Intel® AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow a privileged user to potentially enable escalation of privilege via local access.
  • CVE-2020-8756: Improper input validation in subsystem for Intel® CSME versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow a privileged user to potentially enable escalation of privilege via local access.
  • CVE-2020-8760: Integer overflow in subsystem for Intel® AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow a privileged user to potentially enable escalation of privilege via local access.
  • CVE-2020-12355: Authentication bypass by capture-replay in RPMB protocol message authentication subsystem in Intel® TXE versions before 4.0.30 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.
  • CVE-2020-8751: Insufficient control flow management in subsystem for Intel® CSME versions before 11.8.80, Intel® TXE versions before 3.1.80 may allow an unauthenticated user to potentially enable information disclosure via physical access.
  • CVE-2020-8754: Out-of-bounds read in subsystem for Intel® AMT, Intel® ISM versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable information disclosure via network access.
  • CVE-2020-8761: Inadequate encryption strength in subsystem for Intel® CSME versions before 13.0.40 and 13.30.10 may allow an unauthenticated user to potentially enable information disclosure via physical access.
  • CVE-2020-8747: Out-of-bounds read in subsystem for Intel® AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable information disclosure and/or denial of service via network access.
  • CVE-2020-8755: Race condition in subsystem for Intel® CSME versions before 12.0.70 and 14.0.45, Intel® SPS versions before E5_04.01.04.400 and E3_05.01.04.200 may allow an unauthenticated user to potentially enable escalation of privilege via physical access.
  • CVE-2020-12356: Out-of-bounds read in subsystem in Intel® AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow a privileged user to potentially enable information disclosure via local access.
  • CVE-2020-8746: Integer overflow in subsystem for Intel® AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable denial of service via adjacent access.
  • CVE-2020-8749: Out-of-bounds read in subsystem for Intel® AMT versions before 11.8.80, 11.12.80, 11.22.80, 12.0.70 and 14.0.45 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.

Vulnerabilities described in CVE-2020-12304 and CVE-2020-12354 address Intel® DAL SDK and Intel® AMT SDK respectively. Mitigation is at the discretion of the end user. The Intel® AMT SDK is available for download at Intel.

The vulnerability described in CVE-2020-12355, addressing the Replay Protected Memory Block (RPMB) protocol in Intel® TXE, is further referenced in the Carnegie Mellon University SEI CERT Coordination Center note VU#231329.

Potential Impact:
According to the information provided the potential impact of INTEL-SA-00391 is:

Denial of Service, Information Disclosure, Privilege Escalation


INTEL-SA-00358: 2020.2 IPU – Intel® Firmware (BIOS) Advisory
Multiple potential security vulnerabilities in BIOS firmware for Intel® Processors may allow a denial of service and/or an escalation of privilege. The detailed description of the vulnerabilities with at least a low, medium, high or critical CVSS base score is as follows:
  • CVE-2020-0590: Improper input validation in BIOS firmware for some Intel® Processors may allow an authenticated user to potentially enable escalation of privilege via local access.
  • CVE-2020-0587: Improper conditions check in BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.
  • CVE-2020-0591: Improper buffer restrictions in BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.
  • CVE-2020-0593: Improper buffer restrictions in BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.
  • CVE-2020-0588: Improper conditions check in BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.
  • CVE-2020-0592: Out of bounds write in BIOS firmware for some Intel® Processors may allow an authenticated user to potentially enable escalation of privilege and/or denial of service via local access.
Potential Impact:
According to the information provided the potential impact of INTEL-SA-00358 is:

Denial of Service, Privilege Escalation


INTEL-SA-00381: 2020.2 IPU – Intel® Fast forward Store Predictor (FFSP) and Vector Register Leakage-Active (VRLA) Advisory
Multiple potential security vulnerabilities in some Intel® Processors may allow information disclosure. The detailed description of the vulnerabilities with at least a low, medium, high or critical CVSS base score is as follows:
  • CVE-2020-8698: Improper isolation of shared resources in some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access (FFSP).
  • CVE-2020-8696: Improper removal of sensitive information before storage or transfer in some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access (VRLA).

The audience may please refer to further publications by manufacturer Intel® on the 2020.2 IPU – Intel® Fast forward Store Predictor (FFSP) and Vector Register Leakage-Active (VRLA) Advisory, such as the corresponding article IPAS: Security Advisories for November 2020, for additional technical details about FFSP and VRLA.

Potential Impact:
According to the information provided the potential impact of INTEL-SA-00381 is:

Information Disclosure


INTEL-SA-00389: 2020.2 IPU – Intel® Running Average Power Limit (RAPL) Advisory
Multiple potential security vulnerabilities in the Intel® Running Average Power Limit (RAPL) interface may allow information disclosure. The detailed description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:
  • CVE-2020-8694: Insufficient access control in the Linux kernel driver for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.
  • CVE-2020-8695: Observable discrepancy in the RAPL interface for some Intel® Processors may allow a privileged user to potentially enable information disclosure via local access.

The audience may please refer to further publications by manufacturer Intel® on the 2020.2 IPU – Intel® Running Average Power Limit (RAPL) Advisory, such as the corresponding article IPAS: Security Advisories for November 2020, for additional technical details about RAPL. The Running Average Power Limit (RAPL) issue may also be widely known as PLATYPUS.

Potential Impact:
According to the information provided the potential impact of INTEL-SA-00389 is:

Information Disclosure


2020.2 IPU – Intel® Processor Microcode (MCU) and Intel® Firmware (BIOS) Functional Updates
Additionally, multiple functional updates took place in Intel® Processor Microcode (MCU), affecting products / architectures CLX, SKX, CFL, CFL-S, Grantley HSX EP C0, SKL, KBL, WHL, AML, ICL and LKF, referring to:
  • CLX MOB Speedpath: CLX has a speedpath that can cause unpredictable system behavior. This speedpath has only been observed to manifest at high frequency (e.g. >=3.6GHz) but may impact lower frequencies as well. (CLX)
  • IRR Restore with RS throttle (ITR #2): Lost interrupt during RS throttling. (SKX, CLX)
  • CFL-S Display PLL: Display PLL settings change. (CFL, CFL-S)
  • Incorrect Data Returned when Reading Per DIMM Temperatures on Server Haswell-EP Processor: Issue observed when reading per-DIMM temperatures through the PECI command after patch 0x43 (2019.1 IPU). (Grantley-HSX EP C0)
  • MD_Clear Errata: On processors that enumerate the MD_CLEAR CPUID bit, the VERW instruction may not clear all buffers under certain conditions. (SKX, CLX, SKL, KBL, CFL (including Xeon E3), WHL, AML)
  • SSBD may not properly restrict load execution: Under certain microarchitectural conditions, loads may execute speculatively before the addresses of all older stores are known, even when IA32_SPEC_CTRL.SSBD=1, or when in SMM or SGX. (ICL, LKF)

Additionally, multiple functional updates took place in BIOS and CSME/SPS, which were updated on some SKU’s to address their sightings, affecting products / architectures CLX, SKX, SKX-D, Xeon E Mehlow, CFL, ICL client, SKL client, referring to:
  • CLX/AEP Dropped Write: The issue applies to CLX/AEP and can be seen on channels that have a DDR4 DIMM and DDRT DIMM. (CLX)
  • Multiple fixes and enhancements: Rank-switching Speedpath , Multiple VLS, eMCA legacy issues: Adv. Mem Test, PPR, Patrol Scrub and other changes. (SKX, CLX)
  • Intel® Xeon® E Mehlow/CFL Platform Memory/Boot Issue: Customer systems configured with MRC v100 may fail to boot during cold boot. Reports indicate the failure is due to MRC RTL (Round Trip Latency) training failures. (Xeon E Mehlow, CFL)
  • SKX-D PCH SATA Issue: SKX-D SATA Lanes May Not Get Calibrated Correctly. (SKX-D)
  • Reducing Susceptibility to Rowhammer style attacks on DDR4: Added BIOS options for low watermark and 2x refresh to client and server CPUs. Added option to enable pTRR for client SKL based CPUs. (SKX, CLX & ICL client (Watermark, 2X), Client SKL family (Watermark, 2X, pTRR))

There were no additional CVEs assigned to these FUNCTIONAL updates.

CVE Reference (INTEL-SA-00391, INTEL-SA-00358, INTEL-SA-00381, INTEL-SA-00389)
INTEL-SA-00391: 2020.2 IPU – Intel® CSME, SPS, TXE, AMT, ISM & DAL Advisory
The description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:
CVE NumberCVSS Base Score
CVE-2020-87529.4 (Critical)
CVE-2020-87538.2 (High)
CVE-2020-122978.2 (High)
CVE-2020-87457.3 (High)
CVE-2020-87447.2 (High)
CVE-2020-87057.1 (High)
CVE-2020-87507.0 (High)
CVE-2020-123037.0 (High)
CVE-2020-87576.3 (Medium)
CVE-2020-87566.3 (Medium)
CVE-2020-87606.0 (Medium)
CVE-2020-123555.3 (Medium)
CVE-2020-87515.3 (Medium)
CVE-2020-87545.3 (Medium)
CVE-2020-87614.9 (Medium)
CVE-2020-87474.8 (Medium)
CVE-2020-87554.6 (Medium)
CVE-2020-123564.4 (Medium)
CVE-2020-87464.3 (Medium)
CVE-2020-87494.2 (Medium)

INTEL-SA-00358: 2020.2 IPU – Intel® Firmware (BIOS) Advisory
The description of the vulnerabilities with at least a low, medium, high or critical CVSS base score is as follows:
CVE NumberCVSS Base Score
CVE-2020-05907.7 (High)
CVE-2020-05876.7 (Medium)
CVE-2020-05916.7 (Medium)
CVE-2020-05934.7 (Medium)
CVE-2020-05883.8 (Low)
CVE-2020-05923.0 (Low)

INTEL-SA-00381: 2020.2 IPU – Intel® Fast forward Store Predictor (FFSP) and Vector Register Leakage-Active (VRLA) Advisory
The description of the vulnerabilities with at least a low, medium, high or critical CVSS base score is as follows:
CVE NumberCVSS Base Score
CVE-2020-86985.5 (Medium)
CVE-2020-86962.5 (Low)

INTEL-SA-00389: 2020.2 IPU – Intel® Running Average Power Limit (RAPL) Advisory
The description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:
CVE NumberCVSS Base Score
CVE-2020-86945.6 (Medium)
CVE-2020-86955.3 (Medium)

Links for Technical Details
Technical details of the potential security vulnerabilities and functional issues are documented online:

Affection and Remediation

Affected Fujitsu Products
A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute updates for all affected products that are currently supported. Older systems that are no longer supported will not be updated.

An overview of the affected Client Computing Devices (e.g. CELSIUS, ESPRIMO, FUTRO, LIFEBOOK, STYLISTIC) and Server products (PRIMERGY and PRIMEQUEST) can be found here:

List of affected Fujitsu products (APL)

This page will be updated regularly as soon as new information is available. Besides a list of affected systems, also more detailed advice will follow.

NOTE:

Intel® Security Advisory INTEL-SA-00404 is not officially part of this 2020.2 Intel Platform Update (IPU). However, certain updates were issued along with the 2020.1 Intel Platform Update (IPU) and some will be provided along with updates for this 2020.2 Intel Platform Update (IPU).

Intel® Security Advisory INTEL-SA-00356 is not officially part of this 2020.2 Intel Platform Update (IPU). However, updates will also be provided along with updates for this 2020.2 Intel Platform Update (IPU), except for non-affected CVE-2020-8671.

Intel® Security Advisory INTEL-SA-00403 is not officially part of this 2020.2 Intel Platform Update (IPU). However, updates will also be provided in the same period as the updates for this 2020.2 Intel Platform Update (IPU).

Intel® Security Advisories INTEL-SA-00439, INTEL-SA-00431, INTEL-SA-00430, INTEL-SA-00429, INTEL-SA-00424, INTEL-SA-00405 and INTEL-SA-00347 are not part of this 2020.2 Intel Platform Update (IPU). Further, Fujitsu is not affected by any of these Intel® Security Advisories.

Recommended Steps for Remediation
Remediation via BIOS Update
Step 1: Determine whether you have an affected system.
Refer to the list of affected Fujitsu products (APL). This list is updated regularly.
Before proceeding, please check the expected availability of the relevant BIOS update package.

Step 2: Download and install the BIOS update package.
To download and install the BIOS update package, please go to the Fujitsu Technical Support page and follow these steps:
  • Select "Select a new Product" (button)
  • Select "Browse for Product"
  • Select "product line"
  • Select "product group" and "product family".
  • Download and install the latest BIOS update package
Remediation via Management Engine (ME) Update
Updating the ME firmware is an alternative to updating the BIOS and used when a BIOS update is not planned. However, it may only be available for some specific Client Computing Devices.

Step 1: Determine whether you have an affected system.
Refer to the list of affected Fujitsu products (APL). This list is updated regularly.
Before proceeding, please check the expected availability of the relevant ME update package.

Step 2: Download the ME update package.
To download the ME update package, please go to the Fujitsu Technical Support page and follow these steps:
  • Select "Select a new Product" (button)
  • Select "Browse for Product"
  • Select "product line"
  • Select "product group" and "product family".
  • Download and install the latest BIOS update package

Step 3: Preparation.
After downloading the .zip file, containing the ME Firmware Update Pack, extract all files/directories/subdirectories in the Firmware.ME directory (\Firmware.ME) of the .zip file to the desired directory on the hard drive.

Step 4: ME Update Procedure.
The "Firmware.ME" directory contains the ME update files which can be used in Windows environment. Run "update.bat" in Windows cmd environment with administrative privileges to start the ME flash procedure. Please choose 32-bit or 64-bit directory if using a Windows 32-bit or a Windows 64-bit installation.

Hints:
  • To run the ME Update procedure using a Windows installation, it is necessary to have the Windows "HECI" driver installed. Please use the Intel® Active Management Technology (Intel® AMT) Driver Package for Windows.
  • To run the ME update procedure, using a Windows PE installation, it is necessary to have the Windows "HECI" driver installed. This can be done at runtime by excuting "drvload.exe \HECI.INF". The "HECI" driver can be extracted from the Intel® Active Management Technology (Intel® AMT) Driver Package for Windows.

Links for Software Security Updates
Vendor Fujitsu
support.ts.fujitsu.com

Vendor Intel
security-center.intel.com/


Further Information

Contact Details
Should you require any further security-related assistance, please contact: G02D-PSIRT@ts.fujitsu.com.
Legal Statement
Fujitsu does not manufacture the affected microprocessors, that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors.

Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects, resulting from customers’ use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.

Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites.

Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.