2021.2 INTEL PLATFORM UPDATE (IPU)

Intel 2021.2 IPU covering Intel® SPS, AMT & PMC updates, Intel® Firmware (BIOS) updates, Intel® Processor Microcode (MCU) updates

Fujitsu Communication

Original release:8 Feb 2022
Fujitsu PSIRT ID:PSS-IS-2021-052110

Advisory Description

INTEL-SA-00470: 2021.2 IPU – Intel® SPS, AMT and PMC Advisory

Multiple potential security vulnerabilities in the Intel® Server Platform Services (Intel® SPS), Intel® Active Management Technology (Intel® AMT) and Intel® Power Management Controller (Intel® PMC) may allow a denial of service and/or an escalation of privilege. The detailed description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:

CVE-2021-0060: Insufficient compartmentalization in HECI subsystem for Intel® SPS before versions SPS_E5_04.01.04.516.0, SPS_E5_04.04.04.033.0, SPS_E5_04.04.03.281.0, SPS_E5_03.01.03.116.0, SPS_E3_05.01.04.309.0, SPS_02.04.00.101.0, SPS_SoC-A_05.00.03.114.0, SPS_SoC-X_04.00.04.326.0, SPS_SoC-X_03.00.03.117.0, IGN_E5_91.00.00.167.0 and SPS_PHI_03.01.03.078.0 may allow an authenticated user to potentially enable escalation of privilege via physical access.

CVE-2021-33068: Null pointer dereference in subsystem for Intel® AMT before versions 15.0.35 may allow an authenticated user to potentially enable denial of service via network access.

CVE-2021-0147: Improper locking in the Power Management Controller (PMC) for some Intel® Chipset firmware before versions pmc_fw_lbg_c1-21ww02a and pmc_fw_lbg_b0-21ww02a may allow a privileged user to potentially enable denial of service via local access.

Potential Impact: According to the information provided the potential impact of INTEL-SA-00470 is:
Denial of Service, Privilege Escalation

INTEL-SA-00527: 2021.2 IPU – Intel® Firmware (BIOS) Advisory

Multiple potential security vulnerabilities in the BIOS firmware for some Intel® Processors may allow a denial of service, information disclosure or an escalation of privilege. The detailed description of the vulnerabilities with at least a low, medium, high or critical CVSS base score is as follows:

CVE-2021-0103: Insufficient control flow management in the firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

CVE-2021-0114: Unchecked return value in the firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

CVE-2021-0115: Buffer overflow in the firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2021-0116: Out-of-bounds write in the firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

CVE-2021-0117: Pointer issues in the firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

CVE-2021-0118: Out-of-bounds read in the firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

CVE-2021-0099: Insufficient control flow management in the firmware for some Intel® Processors may allow an authenticated user to potentially enable an escalation of privilege via local access.

CVE-2021-0156: Improper input validation in the firmware for some Intel® Processors may allow an authenticated user to potentially enable an escalation of privilege via local access.

CVE-2021-0111: NULL pointer dereference in the firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.

CVE-2021-0107: Unchecked return value in the firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.

CVE-2021-0125: Improper initialization in the firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via physical access.

CVE-2021-0124: Improper access control in the firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via physical access.

CVE-2021-0119: Improper initialization in the firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via physical access.

CVE-2021-0092: Improper access control in the firmware for some Intel® Processors may allow a privileged user to potentially enable a denial of service via local access.

CVE-2021-0091: Improper access control in the firmware for some Intel® Processors may allow an unauthenticated user to potentially enable an escalation of privilege via local access.

CVE-2021-0093: Incorrect default permissions in the firmware for some Intel® Processors may allow a privileged user to potentially enable a denial of service via local access.

Potential Impact: According to the information provided the potential impact of INTEL-SA-00527 is:
Denial of Service, Information Disclosure, Privilege Escalation

INTEL-SA-00532: 2021.2 IPU – Intel® Processor Breakpoint Control Flow (PBCF) Advisory

A potential security vulnerability in some Intel® processors may allow a denial of service. The detailed description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:

CVE-2021-0127: Insufficient control flow management in some Intel® processors may allow an authenticated user to potentially enable a denial of service via local access.

Potential Impact: According to the information provided the potential impact of INTEL-SA-00532 is:
Denial of Service

INTEL-SA-00561: 2021.2 IPU – Intel® Processor Shared Resource Advisory (PSRA) Advisory

Multiple potential security vulnerabilities in some Intel® Processors may allow information disclosure. The detailed description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:

CVE-2021-0145: Improper initialization of shared resources in some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.

Potential Impact: According to the information provided the potential impact of INTEL-SA-00561 is:
Information Disclosure

INTEL-SA-00589: 2021.2 IPU – Intel® Atom® Processor Advisory

A potential security vulnerability in some Intel® Atom® Processors may allow may allow a denial of service and/or information disclosure. The detailed description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:

CVE-2021-33120: Out of bounds read under complex microarchitectural condition in memory subsystem for some Intel Atom® Processors may allow authenticated user to potentially enable information disclosure or cause denial of service via network access.

Potential Impact: According to the information provided the potential impact of INTEL-SA-00589 is:
Denial of Service, Information Disclosure

2021.2 IPU – Intel® Processor Microcode (MCU) and Intel® Firmware (BIOS) Functional Updates

Additionally, multiple functional updates took place in Intel® Processor Microcode (MCU) and BIOS/Kernel, affecting products/architectures ACF, ADL+, BDX, BFL, CFL, CLX, CML, CPX, DNV, GFL, GLK+, HWL, ICL, ICX+, LKF, RKL, SKL+, SKX/+/-D, TGL, referring to:

2nd Generation Xeon Memory Mode Machine Check Issue: Systems with 2nd Generation Intel® Xeon® Scalable Processors may machine check when using Intel® Optane Persistent Memory 100 Series in Memory Mode or Mixed Mode. (CLX)

System May Hang or Reboot Unexpectedly Due To System Stress: Under a complex set of microarchitectural conditions certain processors may incorrectly recover from a mis-predicted branch resulting in: 3-Strike Machine Checks without a TOR Timeout, unexpected exceptions, or other unpredictable system behavior. (RKL, TGL, ICL)

Dedicated Fast store forward predictor Control: Support optional disable for Fast Store Forwarding Predictor via IA32_SPEC_CTRL.PSFD. (ADL+, ICL, ICX+, LKF, RKL, TGL)

RAPL Filtering opt-in SW Switch: Intel® added an opt-in SW switch that allows System SW to enable RAPL power filtering to protect against attacks similar to CVE-2020-8695. (GLK+, SKL+, SKX+)

WBINVD CHA Conflict Resolution: Under complex microarchitecural conditions, during the writeback and invalidate cache instruction (WBINVD) execution, the Caching and Home Agent (CHA) may not correctly resolve a conflict between read and write instructions on a two or more socket system. This may result in a 3-strike error with TOR timeout or other unpredictable system behavior. (CLX, CPX, SKX)

Thermal Status Model Specific Register: Some STATUS/LOG bits in MSR IA32_THERM_STATUS (0x19c) #GP fault incorrectly on a write of a value 1 during a Read-Modify-Write sequence for that MSR. (ACF, CLX, CPX, SKX)

System hangs with 2400 UDIMM: Uncorrectable memory errors resulting in system hang may occur when running with 2400 UDIMM memory config and enabling Pkg C6 for the system. (BDX, HWL)

Intel® Server Platform Services Firmware: Timeout while Advanced Memory Test is enabled results in reduced Intel® SPS Firmware functionality when failing memory is installed. Intel® SPS Firmware enters Recovery Mode when Flash Descriptor Verification (FD0V) feature is enabled. Platform does not boot after power loss during update scenario including Intel® SPS Firmware SVN increase. (CLX, DNV, SKX/-D)

CHA BL VNA credit setting for CPX systems: CHA (Caching Home Agent) BL (Block Layer) VNA (Virtual Network Adaptive) credit programming requires target ports for PCIe to have credits programmed based on system configuration for performance and functional requirements. (CPX)

System hangs during boot with POST code 0xBB when installed system memory exceeds selected MMIO High base: The system cannot boot when MMIO high base overlaps with the amount of installed system memory available to map. (CLX)

Resizable BAR Support for Discrete Graphics: Modern graphics cards may deliver reduced performance without this feature enabled. (BFL, CML, CFL, GFL)

Additionally, a functional update took place in Intel® Processor Microcode (MCU), affecting products / architectures Celeron G, Core 7-9 Gen., Pentium Gold, Xeon E/E3v5/E3v6 family, referring to:

TSX Deprecation: Intel® further deprecates and removes its Intel® Transactional Synchronization Extensions (Intel® TSX) feature via MCU on a subset of PC client platforms with the release of the 2021.2 Intel Platform Update (IPU). The MCU will provide the ability to re-enable TSX on these platforms as a software development vehicle. (Core 8-10 Gen., Xeon E)

There were no additional CVEs assigned to these FUNCTIONAL updates.

CVE Reference (INTEL-SA-00470INTEL-SA-00527INTEL-SA-00532INTEL-SA-00561INTEL-SA-00589)

INTEL-SA-00470: 2021.2 IPU – Intel® SPS, AMT and PMC Advisory
The description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:

CVE Number

CVSS Base Score

CVE-2021-0060

7.3 (High)

CVE-2021-33068

5.0 (Medium)

CVE-2021-0147

4.4 (Medium)

INTEL-SA-00527: 2021.2 IPU – Intel® Firmware (BIOS) Advisory
The description of the vulnerabilities with at least a low, medium, high or critical CVSS base score is as follows:

CVE Number

CVSS Base Score

CVE-2021-0103

8.2 (High)

CVE-2021-0114

7.9 (High)

CVE-2021-0115

7.9 (High)

CVE-2021-0116

7.9 (High)

CVE-2021-0117

7.9 (High)

CVE-2021-0118

7.9 (High)

CVE-2021-0099

7.8 (High)

CVE-2021-0156

7.5 (High)

CVE-2021-0111

7.2 (High)

CVE-2021-0107

7.2 (High)

CVE-2021-0125

6.7 (Medium)

CVE-2021-0124

6.3 (Medium)

CVE-2021-0119

5.8 (Medium)

CVE-2021-0092

4.7 (Medium)

CVE-2021-0091

3.2 (Low)

CVE-2021-0093

2.4 (Low)

INTEL-SA-00532: 2021.2 IPU – Intel® Processor Breakpoint Control Flow (PBCF) Advisory
The description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:

CVE Number

CVSS Base Score

CVE-2021-0127

5.6 (Medium)

INTEL-SA-00561: 2021.2 IPU – Intel® Processor Shared Resource Advisory (PSRA) Advisory
The description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:

CVE Number

CVSS Base Score

CVE-2021-0145

6.5 (Medium)

INTEL-SA-00589: 2021.2 IPU – Intel® Atom® Processor Advisory
The description of the vulnerabilities with at least a low, medium, high or critical CVSS base score is as follows:

CVE Number

CVSS Base Score

CVE-2021-33120

3.6 (Low)

Links for Technical Details

Technical details of the potential security vulnerabilities and functional issues are documented online:
https://security-center.intel.com

Affected Fujitsu Products

A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.

An overview of the affected Client Computing Devices (e.g. CELSIUS, ESPRIMO, FUTRO, LIFEBOOK, STYLISTIC) can be found here:

In an effort to continuously improve the robustness of Intel® products, manufacturer Intel® has performed a security review with the objective of continuously enhancing software resilience. Affected Fujitsu products are listed below. For detailed information on the Fujitsu-approved remedy, please refer to the official Fujitsu PSIRT security advisory (PSS-IS-2021-052110), as well as to the official Intel® security advisories (INTEL-SA-00470, INTEL-SA-00527, INTEL-SA-00532, INTEL-SA-00561 and INTEL-SA-00589).

List of Affected Fujitsu products ( APL )
2021.2 INTEL PLATFORM UPDATE (IPU) INTEL 2021.2 IPU COVERING INTEL® SPS, AMT and PMC UPDATES, INTEL® FIRMWARE (BIOS) UPDATES, INTEL® PROCESSOR MICROCODE (MCU) UPDATES

Mobile ( CELSIUS /LIFEBOOK /STYLISTIC )

AFFECTED SYSTEM

NEW FIXED
BIOS/ME

BIOS/ME
RELEASE
DATE

LIFEBOOK  E448 /E458

V1.21

cw 21/2022

LIFEBOOK  E449/459

V1.09

cw 21/2022

LIFEBOOK  E546 /E556
( Non v-Pro )

V1.36

cw 26/2022

LIFEBOOK  E546 /E556
( v-Pro )

V1.36

cw 26/2022

LIFEBOOK  E547/E557
( Non v-Pro )

V1.19

cw 24/2022

LIFEBOOK  E547/E557
(v-Pro )

V1.19

cw 24/2022

LIFEBOOK  E548 /E558

V1.22

cw 21/2022

LIFEBOOK  E549 /E559

V2.20

cw 17/2022

LIFEBOOK  E736/E746/E756
( v-Pro )

V1.40

cw 26/2022

LIFEBOOK  E736/E746/E756
( Non v-Pro )

V1.40

cw 26/2022

LIFEBOOK  E5410 /E5510

V2.23

cw 15/2022

LIFEBOOK  E5411/E5511

V2.26

cw 11/2022

LIFEBOOK  P727

V1.23

cw 24/2022

LIFEBOOK  P728

V1.19

cw 21/2022

LIFEBOOK  S936

V1.26

cw 26/2022

LIFEBOOK  S937

V2.11

cw 21/2022

LIFEBOOK  S938

V1.19

cw 21/2022

LIFEBOOK  T726

V1.24

cw 26/2022

LIFEBOOK  T936

V1.24

cw 26/2022

LIFEBOOK  T937

V1.24

cw 24/2022

LIFEBOOK  T938

V2.15

cw 17/2022

LIFEBOOK  U727/U747/U757 6th Gen CPU model

V1.29

cw 24/2022

LIFEBOOK  U727/U747/U757

V1.29

cw 24/2022

LIFEBOOK  U728 /U748 /U758

V1.25

cw 21/2022

LIFEBOOK  U729 /U749 /U759

V2.16

cw 17/2022

LIFEBOOK  U729X

V2.16

cw 17/2022

LIFEBOOK  U937

V1.20

cw 24/2022

LIFEBOOK  U938

V1.25

cw 21/2022

LIFEBOOK  U939
(THUNDERBOLT model )

V2.18

cw 17/2022

LIFEBOOK  U939
(Type c model )

V2.17

cw 17/2022

LIFEBOOK  U939X

V2.21

cw 17/2022

LIFEBOOK  U9310

V2.17

cw 15/2022

LIFEBOOK  U9310X

V2.16

cw 15/2022

LIFEBOOK  U9311
(updating from BIOS version 2.XX)

V2.32

cw 11/2022

LIFEBOOK  U9311
(updating from BIOS version 1.XX)

V1.52

cw 11/2022

LIFEBOOK  U9311X

V2.26

cw 11/2022

STYLISTIC Q509

V1.29

cw 19/2022

STYLISTIC Q616

V1.18

cw 26/2022

STYLISTIC Q736

V1.23

cw 26/2022

STYLISTIC Q737

V1.22

cw 26/2022

STYLISTIC Q738

V1.15

cw 21/2022

STYLISTIC Q739

V2.16

cw 17/2022

STYLISTIC Q5010

V1.24

cw 19/2022

STYLISTIC Q7310

V2.17

cw 15/2022

STYLISTIC Q7311

V2.20

cw 11/2022

CELSIUS H760

v1.26

cw 26/2022

CELSIUS H770

v1.23

cw 24/2022

CELSIUS H780

t.b.d.

t.b.d.

CELSIUS H970

t.b.d.

t.b.d.

CELSIUS H980

t.b.d.

t.b.d.

CELSIUS H7510

t.b.d.

t.b.d.

 

CELSIUS (WorkStation)

Please refer to the following site.
https://support.ts.fujitsu.com/IndexDownload.asp?SoftwareGuid=E012F673-28FD-4AA2-8B79-35D78AB76BCA

ESPRIMO (Desktop)

FUTRO (Thin-Client)

This page will be updated regularly as soon as new information is available. Besides a list of affected systems, also more detailed advice will follow.

* cw: calendar week
t.b.d.: to be defined
** Installation by Fujitsu hardware service on request

Contact Details
Should you require any further security-related assistance, please contact:Fujitsu-PSIRT@ts.fujitsu.com.
For more information on security vulnerabilities, please also go to https://security.ts.fujitsu.com.

NOTE:
Insyde® Security Advisories INSYDE-SA-2022001 to INSYDE-SA-2022024 on InsydeH2O are not part of this 2021.2 Intel Platform Update (IPU). The Fujitsu PSIRT already addressed the Insyde® Security Advisories internally and released dedicated Fujitsu PSIRT Security Advsiory FCCL-IS-2021-090903. All necessary updates will be issued along with the 2021.2 Intel Platform Update (IPU).

Intel® Security Advisories INTEL-TA-00528 (CPU FSFPCD), INTEL-TA-00562 (BIOS) and INTEL-TA-00575 (AMT) are not officially part of this 2021.2 Intel Platform Update (IPU). All necessary updates will be issued along with the 2021.2 Intel Platform Update (IPU). Fujitsu PRIMERGY and PRIMEQUEST systems are not affected by Intel® Security Advisories INTEL-TA-00528 and INTEL-TA-00575.

Intel® Security Advisories INTEL-SA-00539, INTEL-SA-00563, INTEL-SA-00571, INTEL-SA-00581, INTEL-SA-00582, INTEL-SA-00593, INTEL-SA-00598, INTEL-SA-00604 and INTEL-SA-00609 are not part of this 2021.2 Intel Platform Update (IPU). The Fujitsu PSIRT already addressed these Intel® Security Advisories internally and will release Fujitsu PSIRT Security Notices, depending on the result of the final analysis.

Recommended Steps for Remediation

Remediation via BIOS Update

Step 1: Determine whether you have an affected system.

Refer to the LIST OF AFFECTED Fujitsu product (APL)
 https://support.ts.fujitsu.com/IndexQuickSearchResult.asp?q=PSS-IS-2020-120710APL
This list is updated regularly. Before proceeding, please check the expected availability of the relevant BIOS
update package.

Step 2: Download and install the BIOS update package.
To download the ME update package, please go to the Fujitsu Technical Support page and follow these steps:

• Select "Select a new Product" (button)
• Select "Browse for Product"
• Select "product line"
• Select "product group" and "product family".
• Download and install the latest BIOS update package

Step 3: Preparation.

After downloading the .zip file, containing the ME Firmware Update Pack, extract all files/directories/subdirectories in the Firmware.ME directory (\Firmware.ME) of the .zip file to the desired directory on the hard drive.

Step 4: ME Update Procedure.

The "Firmware.ME" directory contains the ME update files which can be used in Windows environment. Run "update.bat" in Windows cmd environment with administrative privileges to start the ME flash procedure. Please choose 32-bit or 64-bit directory if using a Windows 32-bit or a Windows 64-bit installation.

NOTE:

To run the ME Update procedure using a Windows installation, it is necessary to have the Windows "HECI" driver installed. Please use the Intel® Active Management Technology (Intel® AMT) Driver Package for Windows.

To run the ME update procedure, using a Windows PE installation, it is necessary to have the Windows "HECI" driver installed. This can be done at runtime by executing "drvload.exe <path-to-HECI.INF>\HECI.INF". The "HECI" driver can be extracted from the Intel® Active Management Technology (Intel® AMT) Driver Package for Windows.

Links for Software Security Updates

Vendor Fujitsu
security.ts.fujitsu.com

Vendor Intel
security-center.intel.com

Further Information

Contact Details

Should you require any further security-related assistance, please contact: fpca-hk.cs@hk.fujitsu.com

Legal Statement

Fujitsu does not manufacture the affected microprocessors, that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors.

Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects, resulting from customers’ use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.

Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites.

Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.