Product
Support
KOSZYK POBRAŃ

2019.2 INTEL PLATFORM UPDATE (IPU) Q4 TAXI (PLUNDERVOLT)

Intel 2019.2 IPU Q4 TAXI (Plundervolt) covering Intel® Processor Microcode (MCU) updates via Intel® Firmware (BIOS) updates

Fujitsu Communication

Original release:   December 13, 2019
Latest update:March 23, 2020


Advisory Description

Intel® Processors Voltage Settings Modification 2019.2 IPU Q4 TAXI Advisory (INTEL-SA-00289)
A potential security vulnerability in some Intel® processors may allow an escalation of privilege and/or information disclosure. The detailed description of the vulnerability with a high CVSS base score is as follows:
  • Improper conditions check in voltage settings for some Intel® processors may allow a privileged user to potentially enable an escalation of privilege and/or information disclosure via local access. (CVE-2019-11157)

Intel mentioned that an SGX TCB key recovery is planned for later in Q1 2020, and that Intel documents will be updated with technical details in due course.

Potential Impact:
According to the information provided the potential impact of INTEL-SA-00289 is:

Information Disclosure, Privilege Escalation


Intel® Unexpected Page Fault in Virtualized Environment 2019.2 IPU Q4 TAXI Advisory (INTEL-SA-00317)
A potential security vulnerability in multiple Intel® processors may allow an escalation of privilege, denial of service, and/or information disclosure. The detailed description of the vulnerability with a medium CVSS base score is as follows:
  • Improper conditions check in multiple Intel® processors may allow an authenticated user to potentially enable a partial escalation of privilege, denial of service and/or information disclosure via local access. (CVE-2019-14607)
Potential Impact:
According to the information provided the potential impact of INTEL-SA-00317 is:

Denial of Service, Information Disclosure, Privilege Escalation


CVE Reference (INTEL-SA-00289, INTEL-SA-00317)
Intel® Processors Voltage Settings Modification 2019.2 IPU Q4 TAXI Advisory (INTEL-SA-00289)
CVE NumberCVSS Base Score
CVE-2019-111577.9 (High)

Intel® Unexpected Page Fault in Virtualized Environment 2019.2 IPU Q4 TAXI Advisory (INTEL-SA-00317)
CVE NumberCVSS Base Score
CVE-2019-146075.3 (Medium)

Links for Technical Details
Technical details of the potential security vulnerabilities and functional issues are documented online:

Affection and Remediation

Affected Fujitsu Products
A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.

An overview of the affected Client Computing Devices (e.g. CELSIUS, ESPRIMO, FUTRO, LIFEBOOK, STYLISTIC) and Server products (PRIMERGY and PRIMEQUEST) can be found here:

List of affected Fujitsu products (APL)

This page will be updated regularly as soon as new information is available. Besides a list of affected systems, also more detailed advice will follow.

NOTE: The above List of affected Fujitsu products (APL) was already released, as part of the Fujitsu PSIRT's 2019.2 INTEL PLATFORM UPDATE (IPU) Security Advisory, in November 2019.

This 2019.2 INTEL PLATFORM UPDATE (IPU) Q4 TAXI (PLUNDERVOLT) Security Advisory is covered for OEM mainboards, desktop PCs (ESPRIMO), thin clients (FUTRO), workstations (CELSIUS) and mobile products (LIFEBOOK/STYLISTIC/CELSIUS), by the above list of affected Fujitsu products (APL).

However, an APL update for PRIMERGY and PRIMEQUEST products commenced in March 2020.

Recommended Steps for Remediation
Remediation via BIOS Update
Step 1: Determine whether you have an affected system.
Refer to the list of affected Fujitsu products (APL). This list is updated regularly.

Before proceeding, please check the expected availability of the relevant BIOS update package.

Step 2: Download and install the BIOS update package.
To download and install the BIOS update package, please go to the Fujitsu Technical Support page and follow these steps:
  • Select "Select a new Product" (button)
  • Select "Browse for Product"
  • Select "product line"
  • Select "product group" and "product family".
  • Download and install the latest BIOS update package
Remediation via Management Engine (ME) Update
Updating the ME firmware is an alternative to updating the BIOS and used when a BIOS update is not planned. However, it may only be available for some specific Client Computing Devices.

Step 1: Determine whether you have an affected system.
Refer to the list of affected Fujitsu products (APL). This list is updated regularly.

Before proceeding, please check the expected availability of the relevant ME update package.

Step 2: Download the ME update package.
To download the ME update package, please go to the Fujitsu Technical Support page and follow these steps:
  • Select "Select a new Product" (button)
  • Select "Browse for Product"
  • Select "product line"
  • Select "product group" and "product family".
  • Download and install the latest BIOS update package
Step 3: Preparation.
After downloading the .zip file, containing the ME Firmware Update Pack, extract all files/directories/subdirectories in the Firmware.ME directory (\Firmware.ME) of the .zip file to the desired directory on the hard drive.

Step 4: ME Update Procedure.
The "Firmware.ME" directory contains the ME update files which can be used in Windows environment. Run "update.bat" in Windows cmd environment with administrative privileges to start the ME flash procedure. Please choose 32-bit or 64-bit directory if using a Windows 32-bit or a Windows 64-bit installation.

Hints:
  • To run the ME Update procedure using a Windows installation, it is necessary to have the Windows "HECI" driver installed. Please use the Intel(R) Active Management Technology Driver package for Windows.
  • To run the ME Update procedure using a Windows PE installation, it is necessary to have the Windows "HECI" driver installed. This can be done at runtime by "drvload.exe< Path to HECI.INF>\HECI.INF". The "HECI" driver can be extracted from the Intel(R) Active Management Technology Driver package for Windows.
Links for Software Security Updates
Vendor Fujitsu
support.ts.fujitsu.com

Vendor Intel
security-center.intel.com/


Further Information

Contact Details
Should you require any further security-related assistance, please contact: G02D-psirt@fujitsu.com.
Legal Statement
Fujitsu does not manufacture the affected microprocessors, that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors.

Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects, resulting from customers’ use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.

Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites.

Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.