Intel Q2 Security Update on Side-Channel Analysis Method Vulnerability
Intel Q2 Security Update on Side-Channel
(Spectre & Meltdown) Security Review
Fujitsu Communication
Latest Update: 21.05.2018
Reference: Security vulnerabilities of microprocessors (CVE-2018-3639,CVE-2018-3640,INTEL-SA-00115)
The vulnerability Variant 4 is a derivative of side channel methods previously disclosed in January. Like the other variants, Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel. To ensure to offer the option for full mitigation and to prevent this method from being used in other ways, mitigation through a combination of microcode (MCU) and software updates is provided. This update also includes MCUs addressing Variant 3a (Rogue System Register Read), which was previously disclosed. These two MCUs were bundled together to streamline the process for customers. We continue to urge all customers to keep their systems up-to-date.
CVE Reference: (INTEL-SA-00115)
Side-Channel Analysis Method Q2 update
CVE Number | CVSS | Comment |
---|---|---|
CVE-2018-3639 | CVSS 4.3, Medium | Variant 4: Microcode updates and operating system security patches are needed |
CVE-2018-3640 | CVSS 4.3, Medium | Variant 3a: Only microcode updates are needed |
The microcode updates will also include other enhancements to assist software in the mitigation of potential future side-channel security vulnerabilities.
Impact:
According to the information provided the potential impact is:
CVE-2018-3639 – Speculative Store Bypass (SSB)
• Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
CVE-2018-3640 – Rogue System Register Read (RSRE)
• Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis
Affected Fujitsu products:
A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.
An overview of the affected Client Computing Devices can be found here:
Model Name | Updated
BIOS Version | BIOS Release Date | OS update necessity |
---|---|---|---|
LIFEBOOK A532/AH532/AH562 | TBD | TBD | Yes |
LIFEBOOK AH544 | TBD | TBD | Yes |
LIFEBOOK AH552 | TBD | TBD | Yes |
LIFEBOOK AH555 | TBD | TBD | Yes |
LIFEBOOK AH556 | TBD | TBD | Yes |
LIFEBOOK AH557 | TBD | TBD | Yes |
LIFEBOOK CH702 | TBD | TBD | Yes |
LIFEBOOK E458/E448 | TBD | Week 27 ~ 28 | Yes |
LIFEBOOK E554/E544 | TBD | TBD | Yes |
LIFEBOOK E556/E546(Non-Vpro) | TBD | TBD | Yes |
LIFEBOOK E556/E546(Vpro) | TBD | TBD | Yes |
LIFEBOOK E557/E547(Non-Vpro) | TBD | Week 29 ~ 30 | Yes |
LIFEBOOK E557/E547(Vpro) | TBD | Week 29 ~ 30 | Yes |
LIFEBOOK E558/E548 | TBD | Week 27 ~ 28 | Yes |
LIFEBOOK E733/E743/E753 | TBD | TBD | Yes |
LIFEBOOK E734/E744/E754(Non-Vpro) | TBD | TBD | Yes |
LIFEBOOK E734/E744/E754(Vpro) | TBD | TBD | Yes |
LIFEBOOK E736/E746/E756(Non-Vpro) | TBD | TBD | Yes |
LIFEBOOK E736/E746/E756(Vpro) | TBD | TBD | Yes |
LIFEBOOK E782/E752 | TBD | TBD | Yes |
LIFEBOOK LH532 | TBD | TBD | Yes |
LIFEBOOK LH532
| TBD | TBD | Yes |
LIFEBOOK LH772 | TBD | TBD | Yes |
LIFEBOOK P702 | TBD | TBD | Yes |
LIFEBOOK P727 | TBD | Week 29 ~ 30 | Yes |
LIFEBOOK P728 | TBD | Week 27 ~ 28 | Yes |
LIFEBOOK P772 | TBD | TBD | Yes |
LIFEBOOK PH702 | TBD | TBD | Yes |
LIFEBOOK S762/S792(Non-Vpro) | TBD | TBD | Yes |
LIFEBOOK S762/S792(Vpro) | TBD | TBD | Yes |
LIFEBOOK S762/S792(Non-Vpro) Win8 | TBD | TBD | Yes |
LIFEBOOK S762/S792(Vpro) Win8 | TBD | TBD | Yes |
LIFEBOOK S762/S792/SH762/SH792
| TBD | TBD | Yes |
LIFEBOOK S762/S792/SH762/SH792
| TBD | TBD | Yes |
LIFEBOOK S782/S752 | TBD | TBD | Yes |
LIFEBOOK S904 | TBD | TBD | Yes |
LIFEBOOK S935 | TBD | TBD | Yes |
LIFEBOOK S936 | TBD | TBD | Yes |
LIFEBOOK S937 | TBD | Week 29 ~ 30 | Yes |
LIFEBOOK S938 | TBD | Week 27 ~ 28 | Yes |
LIFEBOOK SH572/SH772 | TBD | TBD | Yes |
LIFEBOOK SH782 | TBD | TBD | Yes |
LIFEBOOK T725 | TBD | TBD | Yes |
LIFEBOOK T726 | TBD | TBD | Yes |
LIFEBOOK T732 | TBD | TBD | Yes |
LIFEBOOK T734(Non-Vpro) | TBD | TBD | Yes |
LIFEBOOK T734(Vpro) | TBD | TBD | Yes |
LIFEBOOK T902 | TBD | TBD | Yes |
LIFEBOOK T904 | TBD | TBD | Yes |
LIFEBOOK T935 | TBD | TBD | Yes |
LIFEBOOK T936 | TBD | TBD | Yes |
LIFEBOOK T937 | TBD | Week 29 ~ 30 | Yes |
LIFEBOOK U536 | TBD | TBD | Yes |
LIFEBOOK U537 | TBD | TBD | Yes |
LIFEBOOK U727/U747/U757 | TBD | Week 29 ~ 30 | Yes |
LIFEBOOK U727/U747/U757(6th gen.) | TBD | Week 29 ~ 30 | Yes |
LIFEBOOK U728/U748/U758 | TBD | Week 27 ~ 28 | Yes |
LIFEBOOK U745 | TBD | TBD | Yes |
LIFEBOOK U772 | TBD | TBD | Yes |
LIFEBOOK U937 | TBD | Week 29 ~ 30 | Yes |
LIFEBOOK U938 | TBD | Week 27 ~ 28 | Yes |
LIFEBOOK UH554/UH574 | TBD | TBD | Yes |
LIFEBOOK UH572 | TBD | TBD | Yes |
LIFEBOOK UH572 Win8 | TBD | TBD | Yes |
Model Name | Updated
BIOS Version | BIOS Release Date | OS update necessity |
---|---|---|---|
STYLISTIC Q335 | TBD | TBD | Yes |
STYLISTIC Q506 | TBD | TBD | Yes |
STYLISTIC Q507 | TBD | TBD | Yes |
STYLISTIC Q508 | TBD | TBD | Yes |
STYLISTIC Q555 | TBD | TBD | Yes |
STYLISTIC Q584 | TBD | TBD | Yes |
STYLISTIC Q616 | TBD | TBD | Yes |
STYLISTIC Q665 | TBD | TBD | Yes |
STYLISTIC Q702 | TBD | TBD | Yes |
STYLISTIC Q704(Non-Vpro) | TBD | TBD | Yes |
STYLISTIC Q704(Vpro) | TBD | TBD | Yes |
STYLISTIC Q736 | TBD | TBD | Yes |
STYLISTIC Q737 | TBD | Week 29 ~ 30 | Yes |
STYLISTIC Q775 | TBD | TBD | Yes |
STYLISTIC Q738 | TBD | Week 27 ~ 28 | Yes |
STYLISTIC R726(Non-Vpro) | TBD | TBD | Yes |
STYLISTIC R726(Vpro) | TBD | TBD | Yes |
Model Name | Updated
BIOS Version | BIOS Release Date | OS update necessity |
---|---|---|---|
CELSIUS H730 | TBD | TBD | Yes |
CELSIUS H760 | TBD | TBD | Yes |
CELSIUS H770 | TBD | Week 29 ~ 30 | Yes |
CELSIUS H970 | TBD | TBD | Yes |
*1: Dates are subject to change
*2: Please apply mentioned version or newer version.
CELSIUS (WorkStation) | Please refer to the following site. |
ESPRIMO (Desktop) | |
FUTRO (Thin-Client) |
This page will be updated regularly as soon as new information is available. Beside a list of affected systems, also more detailed advice will follow. In addition, Fujitsu highly recommends system owners ensure that systems are physically secured where possible, and follow good security practices to ensure that only authorized personnel have hands-on access to devices.
Technical Details:
Technical details of the exploits are documented online:
- https://www.intel.com/content/www/us/en/architecture-and-technology/facts-about-side-channel-analysis-and-intel-products.html
- https://security-center.intel.com/
Fujitsu strongly advises all customers to update affected products. Updates are provided through an updated version of the BIOS and the necessary patches for the dedicated operating system.
Microcode Update via BIOS:
Fujitsu strongly advises all customers to update affected products. Updates are provided through an updated version of the BIOS and the necessary patches for the dedicated operating system.
Update via BIOS:
Step 1:
Determine whether you have an affected system.
Refer to the list of affected Fujitsu systems. This list is updated regularly.
Before proceeding, please check the expected availability of the relevant BIOS update package.
Step 2:
Download and install the BIOS update package.
To install and download the BIOS update package, please go to the Fujitsu support page and follow these steps:
1. Select “Product Type”.
2. Select “Series”.
3. Select “Model”.
4. Select “OS”.
5. Download the latest BIOS update package from the “BIOS” section and install it.
Selected links for operating system patches:
- Microsoft Windows
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180003
Note:
This is a non-binding communication that is not intended to create, and shall not be construed as creating, a legal obligation or commitment of Fujitsu or its suppliers. All details of this communication have been prepared with care, based on the information available to Fujitsu at the time of publication. However, all details of this communication are subject to error or change, depending on further findings. Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu assumes no liability with respect to the information provided on such websites. Designations may be trademarks and/or copyrights of Fujitsu or the respective companies, the use of which by third parties for their own purposes may infringe the rights of such owners.