
Product
Support
Support
2019.2 INTEL PLATFORM UPDATE (IPU)
Intel 2019.2 IPU covering Intel® CSME, SPS, TXE, AMT, SGX, TXT & TSX updates, Intel® Firmware (BIOS) updates and Intel® Processor Microcode (MCU) updates | ||||||||||||||||||||||||||||||||||||||||||||||||||
Fujitsu Communication | ||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Advisory Description | ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® CSME, SPS, TXE and Intel® AMT 2019.2 IPU Advisory (INTEL-SA-00241) | ||||||||||||||||||||||||||||||||||||||||||||||||||
Multiple potential security vulnerabilities in Intel® Converged Security and Management Engine (Intel® CSME), Server Platform Services (Intel® SPS), Trusted Execution Engine (Intel® TXE) and Intel® Active Management Technology (Intel® AMT) may allow users to potentially cause a denial of service, disclose information or an escalation of privilege. The detailed description of the vulnerabilities with high or critical CVSS base scores is as follows:
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Potential Impact: | ||||||||||||||||||||||||||||||||||||||||||||||||||
According to the information provided the potential impact of INTEL-SA-00241 is: Denial of Service, Information Disclosure, Privilege Escalation | ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® SGX and Intel® TXT 2019.2 IPU Advisory (INTEL-SA-00220) | ||||||||||||||||||||||||||||||||||||||||||||||||||
Multiple potential security vulnerabilities in Intel® Software Guard Extensions (Intel® SGX) and Intel® Trusted Execution Technology (Intel® TXT) may allow users to potentially cause an escalation of privilege. The detailed description of the vulnerabilities with high or critical CVSS base scores is as follows:
Application providers may please refer to the original Intel® SGX and TXT Advisory as well as the Intel® SGX Attestation Technical Details, to determine whether they may need to implement changes to their SGX application for SGX attestation service, also including such solutions, which may utilize Remote Attestation (IAS). | ||||||||||||||||||||||||||||||||||||||||||||||||||
Potential Impact: | ||||||||||||||||||||||||||||||||||||||||||||||||||
According to the information provided the potential impact of INTEL-SA-00220 is: Privilege Escalation | ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® SGX with Intel® Processor Graphics 2019.2 IPU Advisory (INTEL-SA-00219) | ||||||||||||||||||||||||||||||||||||||||||||||||||
A potential security vulnerability in Intel® Software Guard Extensions (Intel® SGX) with Intel® Processor Graphics may allow users to potentially disclose information. The detailed description of the vulnerability with medium, high or critical CVSS base score is as follows:
Application providers may please refer to the original Intel® SGX with Intel® Processor Graphics Update Advisory as well as the Intel® SGX Attestation Technical Details, to determine whether they may need to implement changes to their SGX application for SGX attestation service, also including such solutions, which may utilize Remote Attestation (IAS). | ||||||||||||||||||||||||||||||||||||||||||||||||||
Potential Impact: | ||||||||||||||||||||||||||||||||||||||||||||||||||
According to the information provided the potential impact of INTEL-SA-00219 is: Information Disclosure | ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® Trusted Execution Technology 2019.2 IPU Advisory (INTEL-SA-00164) | ||||||||||||||||||||||||||||||||||||||||||||||||||
A potential security vulnerability in Intel® Trusted Execution Technology (Intel® TXT) with Intel® Processor Graphics may allow users to potentially disclose information. The detailed description of the vulnerability with medium, high or critical CVSS base score is as follows:
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Potential Impact: | ||||||||||||||||||||||||||||||||||||||||||||||||||
According to the information provided the potential impact of INTEL-SA-00164 is: Information Disclosure | ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® CPU Local Privilege Escalation 2019.2 IPU Advisory (INTEL-SA-00240) | ||||||||||||||||||||||||||||||||||||||||||||||||||
Multiple potential security vulnerabilities in Intel® Trusted Execution Technology (Intel® TXT) may allow users to potentially cause an escalation of privilege. The detailed description of the vulnerabilities with high or critical CVSS base scores is as follows:
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Potential Impact: | ||||||||||||||||||||||||||||||||||||||||||||||||||
According to the information provided the potential impact of INTEL-SA-00240 is: Privilege Escalation | ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® Firmware (BIOS) 2019.2 IPU Advisory (INTEL-SA-00280) | ||||||||||||||||||||||||||||||||||||||||||||||||||
Multiple potential security vulnerabilities in Intel® firmware (BIOS) may allow users to potentially cause a denial of service, disclose information or an escalation of privilege. The detailed description of the vulnerabilities with high CVSS base scores is as follows:
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Potential Impact: | ||||||||||||||||||||||||||||||||||||||||||||||||||
According to the information provided the potential impact of INTEL-SA-00280 is: Denial of Service, Information Disclosure, Privilege Escalation | ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® TSX Asynchronous Abort 2019.2 IPU Advisory (INTEL-SA-00270) | ||||||||||||||||||||||||||||||||||||||||||||||||||
A potential security vulnerability in some Intel® CPUs may allow users to potentially disclose information. The detailed description of the vulnerability with medium, high or critical CVSS base score is as follows:
The audience may please refer to the original TSX Asynchronous Abort Advisory as well as the corresponding article Deep Dive: Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort, for additional technical details about "TAA" (Transactional Synchronization Extensions (TSX) Asynchronous Abort). | ||||||||||||||||||||||||||||||||||||||||||||||||||
Potential Impact: | ||||||||||||||||||||||||||||||||||||||||||||||||||
According to the information provided the potential impact of INTEL-SA-00270 is: Information Disclosure | ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® Voltage Modulation 2019.2 IPU Advisory (INTEL-SA-00271) | ||||||||||||||||||||||||||||||||||||||||||||||||||
A potential security vulnerability in some Intel® CPUs may allow users to potentially cause a denial of service. The detailed description of the vulnerability with medium, high or critical CVSS base score is as follows:
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Potential Impact: | ||||||||||||||||||||||||||||||||||||||||||||||||||
According to the information provided the potential impact of INTEL-SA-00271 is: Denial of Service | ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® CSME 2019.2 IPU Advisory (INTEL-SA-00307) | ||||||||||||||||||||||||||||||||||||||||||||||||||
A potential security vulnerability in Intel® Converged Security and Management Engine (Intel® CSME) may allow users to potentially cause a denial of service, disclose information or an escalation of privilege. The detailed description of the vulnerabilities with high or critical CVSS base scores is as follows:
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Potential Impact: | ||||||||||||||||||||||||||||||||||||||||||||||||||
According to the information provided the potential impact of INTEL-SA-00307 is: Denial of Service, Information Disclosure, Privilege Escalation | ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® Processor Microcode (MCU) Updates 2019.2 IPU Advisory | ||||||||||||||||||||||||||||||||||||||||||||||||||
Additionally, multiple potential functional issues (or erratum) in Intel® processor microcode (MCU) may lead to a) an incorrect overwrite of fill buffers affected by MDS (Microarchitectural Data Sampling), b) Spectre variant 2 (BTI) mitigations not being fully effective, c) systems exhibiting unpredictable system behavior executing instructions and d) allowing an attacker to access confidential SGX enclave data using side-channel methods. The detailed description of the issues (no newly assigned CVEs; some FUNCTIONAL issue only) is as follows: MD_CLEAR OPERATIONS: May Overwrite Fill Buffers With Data That is Not Constant On processors that enumerate the MD_CLEAR CPUID bit, the VERW mem instruction will overwrite buffers affected by MDS (Microarchitectural Data Sampling). On processors also affected by this erratum, VERW may overwrite portions of the fill buffers with recently stored data rather than uniformly constant data. Software using VERW to prevent MDS side channel methods from revealing previous accessed data may not prevent those side-channel methods from inferring the value stored by the most recent preceding stores to certain address offsets. TA INDIRECT SHARING: STIBP, IBRS and IBPB May Not Function as Intended Spectre variant 2 (Branch Target Injection) mitigations may not be fully effective in certain corner cases. This affects one or more of STIBP, IBRS and IBPB MSR bits. The "retpoline" mitigation technique is not affected. This also does not affect parts that are run with Hyper-Threading (HT) disabled. SHUF: Unpredictable Behavior When Executing X87, AVX or Integer Divide Instructions Under complex micro-architectural conditions, executing an X87 or AVX or integer divide instruction may result in unpredictable system behavior. When this erratum occurs, the system may exhibit unpredictable system behavior. Intel has not observed this erratum with any commercially available software. EGETKEY: SGX Key Confidentiality May be Compromised Under complex micro-architectural conditions, it may be possible for the value of SGX keys to be inferred using side-channel methods. If exposed, such keys could allow an attacker to access confidential SGX enclave data. Processors that do not support Hyper-Threading (HT) are not affected by this issue. | ||||||||||||||||||||||||||||||||||||||||||||||||||
CVE Reference (INTEL-SA-00241, INTEL-SA-00220, INTEL-SA-00219, INTEL-SA-00164, INTEL-SA-00240, INTEL-SA-00280, INTEL-SA-00270, INTEL-SA-00271, INTEL-SA-00307)) | ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® CSME, SPS, TXE and Intel® AMT 2019.2 IPU Advisory (INTEL-SA-00241) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® SGX and Intel® TXT 2019.2 IPU Advisory (INTEL-SA-00220) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® SGX with Intel® Processor Graphics 2019.2 IPU Advisory (INTEL-SA-00219) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® Trusted Execution Technology 2019.2 IPU Advisory (INTEL-SA-00164) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® CPU Local Privilege Escalation 2019.2 IPU Advisory (INTEL-SA-00240) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® Firmware (BIOS) 2019.2 IPU Advisory (INTEL-SA-00280) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® TSX Asynchronous Abort 2019.2 IPU Advisory (INTEL-SA-00270) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® Voltage Modulation 2019.2 IPU Advisory (INTEL-SA-00271) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Intel® CSME 2019.2 IPU Advisory (INTEL-SA-00307) | ||||||||||||||||||||||||||||||||||||||||||||||||||
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Links for Technical Details | ||||||||||||||||||||||||||||||||||||||||||||||||||
Technical details of the potential security vulnerabilities and functional issues are documented online:
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Affection and Remediation | ||||||||||||||||||||||||||||||||||||||||||||||||||
Affected Fujitsu Products | ||||||||||||||||||||||||||||||||||||||||||||||||||
A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched. An overview of the affected Client Computing Devices (e.g. CELSIUS, ESPRIMO, FUTRO, LIFEBOOK, STYLISTIC) and Server products (PRIMERGY and PRIMEQUEST) can be found here: List of affected Fujitsu products (APL) This page will be updated regularly as soon as new information is available. Besides a list of affected systems, also more detailed advice will follow. NOTE: The above list of affected Fujitsu products (APL) was already released, as part of the Fujitsu PSIRT's 2019.2 INTEL PLATFORM UPDATE (IPU) Security Advisory, in November 2019. The 2019.2 INTEL PLATFORM UPDATE (IPU) INTEL-SA-00307 Security Advisory is already covered, by the above list of affected Fujitsu products (APL). | ||||||||||||||||||||||||||||||||||||||||||||||||||
Also, an APL update for PRIMERGY and PRIMEQUEST products commenced in March 2020. | ||||||||||||||||||||||||||||||||||||||||||||||||||
Recommended Steps for Remediation | ||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation via BIOS Update | ||||||||||||||||||||||||||||||||||||||||||||||||||
Step 1: Determine whether you have an affected system. | ||||||||||||||||||||||||||||||||||||||||||||||||||
Refer to the list of affected Fujitsu products (APL). This list is updated regularly. Before proceeding, please check the expected availability of the relevant BIOS update package. | ||||||||||||||||||||||||||||||||||||||||||||||||||
Step 2: Download and install the BIOS update package. | ||||||||||||||||||||||||||||||||||||||||||||||||||
To download and install the BIOS update package, please go to the Fujitsu Technical Support page and follow these steps:
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Remediation via Management Engine (ME) Update | ||||||||||||||||||||||||||||||||||||||||||||||||||
Updating the ME firmware is an alternative to updating the BIOS and used when a BIOS update is not planned. However, it may only be available for some specific Client Computing Devices. | ||||||||||||||||||||||||||||||||||||||||||||||||||
Step 1: Determine whether you have an affected system. | ||||||||||||||||||||||||||||||||||||||||||||||||||
Refer to the list of affected Fujitsu products (APL). This list is updated regularly. Before proceeding, please check the expected availability of the relevant ME update package. | ||||||||||||||||||||||||||||||||||||||||||||||||||
Step 2: Download the ME update package. | ||||||||||||||||||||||||||||||||||||||||||||||||||
To download the ME update package, please go to the Fujitsu Technical Support page and follow these steps:
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Step 3: Preparation. | ||||||||||||||||||||||||||||||||||||||||||||||||||
After downloading the .zip file, containing the ME Firmware Update Pack, extract all files/directories/subdirectories in the Firmware.ME directory (\Firmware.ME) of the .zip file to the desired directory on the hard drive. | ||||||||||||||||||||||||||||||||||||||||||||||||||
Step 4: ME Update Procedure. | ||||||||||||||||||||||||||||||||||||||||||||||||||
The "Firmware.ME" directory contains the ME update files which can be used in Windows environment. Run "update.bat" in Windows cmd environment with administrative privileges to start the ME flash procedure. Please choose 32-bit or 64-bit directory if using a Windows 32-bit or a Windows 64-bit installation. | ||||||||||||||||||||||||||||||||||||||||||||||||||
Hints:
| ||||||||||||||||||||||||||||||||||||||||||||||||||
Links for Software Security Updates | ||||||||||||||||||||||||||||||||||||||||||||||||||
Vendor Fujitsu support.ts.fujitsu.com | ||||||||||||||||||||||||||||||||||||||||||||||||||
Vendor Intel security-center.intel.com/ | ||||||||||||||||||||||||||||||||||||||||||||||||||
Further Information | ||||||||||||||||||||||||||||||||||||||||||||||||||
Contact Details | ||||||||||||||||||||||||||||||||||||||||||||||||||
Should you require any further security-related assistance, please contact: G02D-PSIRT@ts.fujitsu.com. | ||||||||||||||||||||||||||||||||||||||||||||||||||
Legal Statement | ||||||||||||||||||||||||||||||||||||||||||||||||||
Fujitsu does not manufacture the affected microprocessors, that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors. Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects, resulting from customers’ use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time. Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites. Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners. |