2022.1 INTEL PLATFORM UPDATE (IPU)
2022.1 INTEL PLATFORM UPDATE (IPU) Intel 2022.1 IPU covering Intel® CSME, BG, TXT & SGX updates, Intel® Firmware (BIOS) updates, Intel® Processor Microcode (MCU) updates
Fujitsu Communication
Original release: May 10, 2022
Last update: N/A
PSS-IS-2021-121710
Advisory Description
INTEL-SA-00613: 2022.1 IPU – Intel® CSME, BG and TXT Advisory
A potential security vulnerability in the Intel® Converged Security and Management Engine (Intel® CSME), Intel® Boot Guard (Intel® BG) and Intel® Trusted Execution Technology (Intel® TXT) may allow an escalation of privilege. The detailed description of the vulnerability with at least a high or critical CVSS base score is as follows:
CVE-2022-0004: Hardware debug modes and processor INIT setting that allow override of locks for some Intel® Processors in Intel® Boot Guard and Intel® TXT may allow an unauthenticated user to potentially enable escalation of privilege via physical access.
Intel notified, that updated Intel® Server Platform Services (Intel® SPS) firmware to disable the CPU debug feature by default on server products is not released, and instead recommends to establish physical security of server systems and secure BMC (Baseboard Management Controller) access.
Potential Impact: According to the information provided the potential impact of INTEL-SA-00613 is: Privilege Escalation
INTEL-SA-00601:2022.1 IPU – Intel® Firmware (BIOS) Advisory
Multiple potential security vulnerabilities in the BIOS firmware or BIOS authenticated code module for some Intel® Processors may allow information disclosure or an escalation of privilege. The detailed description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:
CVE-2021-0154: Improper input validation in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVE-2021-0153: Out-of-bounds write in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVE-2021-33123: Improper access control in the BIOS authenticated code module for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVE-2021-0190: Uncaught exception in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVE-2021-33122: Insufficient control flow management in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVE-2021-0189: Use of out-of-range pointer offset in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVE-2021-33124: Out-of-bounds write in the BIOS authenticated code module for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVE-2021-33103: Unintended intermediary in the BIOS authenticated code module for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVE-2021-0159: Improper input validation in the BIOS authenticated code module for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVE-2021-0188: Return of pointer value outside of expected range in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable an escalation of privilege via local access.
CVE-2021-0155: Unchecked return value in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable information disclosure via local access.
Potential Impact: According to the information provided the potential impact of INTEL-SA-00601 is: Information Disclosure, Privilege Escalation
INTEL-SA-00614:2022.1 IPU – Intel® SGX Advisory
A potential security vulnerability in Intel® Software Guard Extensions (Intel® SGX) may allow information disclosure. The detailed description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:
CCVE-2022-0005: Sensitive information accessible by physical probing of JTAG interface for some Intel® Processors with SGX may allow an unprivileged user to potentially enable information disclosure via physical access.
Intel informed that an SGX TCB recovery is planned for later in Q2 2022, and that Intel documents were updated with technical details.
Potential Impact: According to the information provided the potential impact of INTEL-SA-00614 is: Information Disclosure
INTEL-SA-00617:2022.1 IPU – Intel® Processor Advisory
A potential security vulnerability in some Intel® Processors may allow information disclosure. The detailed description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:
CVE-2022-21151: Processor optimization removal or modification of security-critical code for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.
Intel informed that an SGX TCB recovery is planned for later in Q2 2022, and that Intel documents were updated with technical details.
Potential Impact: According to the information provided the potential impact of INTEL-SA-00617 is: Information Disclosure
INTEL-SA-00616:2022.1 IPU – Intel® Xeon® Processor Advisory
A potential security vulnerability in some Intel® Xeon® Processors may allow may allow a denial of service and/or information disclosure. The detailed description of the vulnerabilities with at least a low, medium, high or critical CVSS base score is as follows:
CVE-2022-21131: Improper access control for some Intel® Xeon® Processors may allow an authenticated user to potentially enable information disclosure via local access.
CVE-2022-21136: Improper input validation for some Intel® Xeon® Processors may allow a privileged user to potentially enable denial of service via local access.
Potential Impact: According to the information provided the potential impact of INTEL-SA-00616 is: Denial of Service, Information Disclosure
2022.1 IPU – Intel® Processor Microcode (MCU) and Intel® Firmware (BIOS) Functional Update
Additionally, multiple functional updates took place in Intel® Processor Microcode (MCU), affecting products/architectures ADL, APL-E, DVN-R, CPL, CSL, LKF, RKL, SKL, SKX-B1, TGL, TTL, referring to:
PECI PCIConfigLocal: Server CPUs that are accessed via serial PECI with WrPCIConfigLocal commands may corrupt targeted register or that are accessed via serial PECI with RdPCIConfigLocal commands may return corrupted data from registers. Potentially leading to thermal throttle on memory channels, decreased PCIe and Ultra Path Interconnect performance, system shutdown, or errors. (CPL, CSL, SKL)
Patrol Scrub Frequency: The patrol scrub interval controls the frequency with which the Memory Controller (MC) checks for and corrects correctable memory errors and could previously only be configured via BIOS. 1. Lower frequency of MC checks and corrections may lead to an elevated level of memory errors. 2. Intel® is providing a method to make the patrol scrub interface more cloud friendly. (CSL, SKL)
WBINVD CHA Conflict Resolution: Under complex microarchitectural conditions, during the writeback and invalidate cache instruction (WBINVD) execution, the Caching and Home Agent (CHA) may not correctly resolve a conflict between read and write instructions on a two or more socket system. (SKX-B1)
Invalid code byte jumps: Intel®-observed on DVR-R and APL-E only. A mitigation is already applied to Goldmont products. In this IPU the inclusion of APL-E and DVN-R is completed by applying SEQ-PRDWN and SPINE_MASK (the first only on DVN-R). (DVN-R, APL-E)
Additionally, a functional update took place in Intel® Processor Microcode (MCU), affecting products / architectures Alder Lake, Ice Lake, Lakefield, Rocket Lake, Tatlow, Tiger Lake and newer, referring to:
Data Operand Independent Timing (DOIT): Intel® provides a list of the instructions, that have data-independent timing, that can be used in conjunction with the previous guidelines, for mitigating timing side channel against cryptographic implementation and introduces a data operand independent timing processor mode on certain processors, with the release of the 2022.1 Intel Platform Update (IPU). The MCU will provide the ability to enable this feature so cryptographic software can use this mode where applicable. (ADL, LKF, RKL, TGL, TTL, et sqq.)
There were no additional CVEs assigned to these FUNCTIONAL updates.
CVE Reference (INTEL-SA-00613, INTEL-SA-00601, INTEL-SA-00614, INTEL-SA-00617, INTEL-SA-00616)
INTEL-SA-00613: 2022.1 IPU – Intel® CSME, BG and TXT Advisory The description of the vulnerabilities with at least a high or critical CVSS base score is as follows
CVE Number | CVSS Base Score |
---|---|
7.3 (High) |
INTEL-SA-00601: 2022.1 IPU– Intel® Firmware (BIOS) Advisory
The description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:
CVE Number | CVSS Base Score |
---|---|
CVE-2021-0154 | 8.2 (High) |
8.2 (High) | |
8.2 (High) | |
8.2 (High) | |
7.9 (High) | |
7.5 (High) | |
7.5 (High) | |
7.5 (High) | |
7.4 (High) | |
5.3 (Medium) | |
4.4 (Medium) |
INTEL-SA-00614: 2022.1 IPU – Intel® SGX Advisory
The description of the vulnerabilities with at least a medium, high or critical CVSS base score is as follows:
CVE Number | CVSS Base Score |
---|---|
7.3 (High) |
INTEL-SA-00616: 2022.1 IPU – Intel® Xeon® Processor Advisory
The description of the vulnerabilities with at least a low, medium, high or critical CVSS base score is as follows:
CVE Number | CVSS Base Score |
---|---|
3.3 (Low) | |
2.7 (Low) |
Links for Technical Details
Technical details of the potential security vulnerabilities and functional issues are documented online:
https://security-center.intel.com
Affected Fujitsu Products
A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.
An overview of the affected Client Computing Devices (e.g. CELSIUS, ESPRIMO, FUTRO, LIFEBOOK, STYLISTIC) can be found here:
List of affected Fujitsu products (APL)
This page will be updated regularly as soon as new information is available. Besides a list of affected systems, also more detailed advice will follow.
Affected Fujitsu products are listed below. For detailed information on the Fujitsu-approved remedy,
Mobile ( CELSIUS /LIFEBOOK /STYLISTIC )
AFFECTED SYSTEM | NEW FIXED
| BIOS/ME
|
---|---|---|
LIFEBOOK AH556 | t.b.d | t.b.d |
LIFEBOOK E448 | t.b.d | CW 2022/35 |
LIFEBOOK E449 | t.b.d | CW 2022/35 |
LIFEBOOK E458 | t.b.d | CW 2022/35 |
LIFEBOOK E459 | t.b.d | CW 2022/35 |
LIFEBOOK E5410 | t.b.d | CW 2022/33 |
LIFEBOOK E5411 | t.b.d | CW 2022/31 |
LIFEBOOK E546 | V1.36 | CW 2022/27 |
LIFEBOOK E547 | t.b.d | CW 2022/37 |
LIFEBOOK E548 | t.b.d | CW 2022/35 |
LIFEBOOK E549 | V2.20 | available |
LIFEBOOK E5510 | t.b.d | CW 2022/33 |
LIFEBOOK E5511 | t.b.d | CW 2022/31 |
LIFEBOOK E556 | V1.36 | CW 2022/27 |
LIFEBOOK E557 | t.b.d | CW 2022/37 |
LIFEBOOK E558 | t.b.d | CW 2022/35 |
LIFEBOOK E559 | V2.20 | available |
LIFEBOOK E736 | V1.40 | CW 2022/27 |
LIFEBOOK E746 | V1.40 | CW 2022/27 |
LIFEBOOK E756 | V1.40 | CW 2022/27 |
LIFEBOOK P727 | t.b.d | CW 2022/37 |
LIFEBOOK P728 | t.b.d | CW 2022/35 |
LIFEBOOK S936 | V1.26 | CW 2022/27 |
LIFEBOOK S937 | t.b.d | CW 2022/37 |
LIFEBOOK S938 | t.b.d | CW 2022/35 |
LIFEBOOK T726 | V1.24 | CW 2022/27 |
LIFEBOOK T936 | V1.24 | CW 2022/27 |
LIFEBOOK T937 | t.b.d | CW 2022/37 |
LIFEBOOK T938 | t.b.d | CW 2022/35 |
LIFEBOOK T939 | V2.15 | available |
LIFEBOOK U536 | t.b.d | t.b.d |
LIFEBOOK U537 | t.b.d | t.b.d |
LIFEBOOK U727 | t.b.d | CW 2022/37 |
LIFEBOOK U728 | t.b.d | CW 2022/35 |
LIFEBOOK U729 | V2.25 | available |
LIFEBOOK U729X | V2.16 | available |
LIFEBOOK U7310 | t.b.d | CW 2022/33 |
LIFEBOOK U7311 | t.b.d | CW 2022/31 |
LIFEBOOK U7411 | t.b.d | CW 2022/31 |
LIFEBOOK U745 | N/A | t.b.d |
LIFEBOOK U747 | t.b.d | CW 2022/37 |
LIFEBOOK U748 | t.b.d | CW 2022/35 |
LIFEBOOK U749 | V2.25 | available |
LIFEBOOK U7510 | t.b.d | CW 2022/33 |
LIFEBOOK U7511 | t.b.d | CW 2022/31 |
LIFEBOOK U757 | t.b.d | CW 2022/37 |
LIFEBOOK U757 6th Gen | t.b.d | CW 2022/39 |
LIFEBOOK U758 | t.b.d | CW 2022/35 |
LIFEBOOK U759 | V2.25 | available |
LIFEBOOK U9310 | t.b.d | CW 2022/33 |
LIFEBOOK U9310X | t.b.d | CW 2022/33 |
LIFEBOOK U9311 | t.b.d | CW 2022/31 |
LIFEBOOK U9311X | t.b.d | CW 2022/31 |
LIFEBOOK U937 | t.b.d | CW 2022/37 |
LIFEBOOK U938 | t.b.d | CW 2022/35 |
LIFEBOOK U939 | V2.17 | available |
LIFEBOOK U939X | V2.18 | available |
STYLISTIC Q5010 | t.b.d | CW 2022/35 |
STYLISTIC Q509 | t.b.d | CW 2022/35 |
STYLISTIC Q616 | V1.18 | CW 2022/27 |
STYLISTIC Q7310 | t.b.d | CW 2022/33 |
STYLISTIC Q7311 | t.b.d | CW 2022/31 |
STYLISTIC Q7312 | t.b.d | t.b.d |
STYLISTIC Q736 | V1.23 | available |
STYLISTIC Q737 | V1.22 | CW 2022/35 |
STYLISTIC Q738 | t.b.d | CW 2022/35 |
STYLISTIC Q739 | V2.16 | available |
STYLISTIC R726 | t.b.d | t.b.d |
CELSIUS H760 | V1.26 | t.b.d |
CELSIUS H770 | t.b.d | t.b.d |
CELSIUS H780 | t.b.d | t.b.d |
CELSIUS H970 | t.b.d | t.b.d |
CELSIUS H7510 | t.b.d | t.b.d |
CELSIUS (WorkStation) | Please refer to the following site.
|
ESPRIMO (Desktop) | |
FUTRO (Thin-Client) |
This page will be updated regularly as soon as new information is available. Besides a list of affected systems, also more detailed advice will follow.
* cw: calendar week
t.b.d.: to be defined
** Installation by Fujitsu hardware service on request
Contact Details
Should you require any further security-related assistance, please contact:Fujitsu-PSIRT@ts.fujitsu.com.
For more information on security vulnerabilities, please also go to https://security.ts.fujitsu.com.
NOTE:
Intel® Security Advisories INTEL-TA-00586 (CPU TME, SGX) and INTEL-TA-00648 (CPU SCSB) are not officially part of this 2022.1 Intel Platform Update (IPU). All necessary updates will be issued along with the 2022.1 Intel Platform Update (IPU).
Intel® Security Advisories INTEL-SA-00563, INTEL-SA-00603, INTEL-SA-00644 and INTEL-SA-00666 are not part of this 2022.1 Intel Platform Update (IPU). The Fujitsu PSIRT already addressed these Intel® Security Advisories internally and will release Fujitsu PSIRT Security Notices, depending on the result of the final analysis.
Intel® Security Advisories INTEL-SA-00563, INTEL-SA-00603, INTEL-SA-00644 and INTEL-SA-00666 are not part of this 2022.1 Intel Platform Update (IPU). The Fujitsu PSIRT already addressed these Intel® Security Advisories internally and will release Fujitsu PSIRT Security Notices, depending on the result of the final analysis.
Recommended Steps for Remediation |
Remediation via BIOS Update |
Step 1: Determine whether you have an affected system. |
Refer to the LIST OF AFFECTED Fujitsu product (APL)
|
Step 2: Download and install the BIOS update package. To download and install the BIOS update package, please go to the Fujitsu Technical Support page and
|
• Select "Select a new Product" (button)
|
Remediation via Management Engine (ME) Update
Updating the ME firmware is an alternative to updating the BIOS and used when a BIOS update is not planned. However, it may only be available for some specific Client Computing Devices.
Step 1: Determine whether you have an affected system. Refer to the list of affected Fujitsu products (APL). This list is updated regularly. Before proceeding, please check the expected availability of the relevant ME update package.
Step 2: Download the ME update package.
To download the ME update package, please go to the Fujitsu Technical Support page and follow these steps:
• Select "Select a new Product" (button)
• Select "Browse for Product"
• Select "product line"
• Select "product group" and "product family".
• Download and install the latest BIOS update package
Step 3: Preparation
- After downloading the .zip file, containing the ME Firmware Update Pack, extract all files/directories/subdirectories in the Firmware.ME directory (\Firmware.ME) of the .zip file to the desired directory on the hard drive.
Step 4: ME Update Procedure
- The "Firmware.ME" directory contains the ME update files which can be used in Windows environment. Run "update.bat" in Windows cmd environment with administrative privileges to start the ME flash procedure. Please choose 32-bit or 64-bit directory if using a Windows 32-bit or a Windows 64-bit installation.
NOTE:
To run the ME Update procedure using a Windows installation, it is necessary to have the Windows "HECI" driver installed. Please use the Intel® Active Management Technology (Intel® AMT) Driver Package for Windows.
To run the ME update procedure, using a Windows PE installation, it is necessary to have the Windows "HECI" driver installed. This can be done at runtime by executing "drvload.exe <path-to-HECI.INF>\HECI.INF". The "HECI" driver can be extracted from the Intel® Active Management Technology (Intel® AMT) Driver Package for Windows.
Links for Software Security UpdatesVendor Fujitsu |
Contact Details |
Should you require any further security-related assistance, please contact: fpca-hk.cs@hk.fujitsu.com |
Legal Statement |
Fujitsu does not manufacture the affected microprocessors, that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors.
|