Intel® 2018.4 Quarterly Security Release

Intel 2018.4 QSR covering Intel® CSME, SPS, TXE, & AMT updates, Intel® Firmware (UEFI) updates and functional Intel® Processor Microcode (MCU) updates

Fujitsu Communication

Original release: March 15, 2019

Intel® CSME, SPS, TXE and Intel® AMT 2018.4 QSR Advisory(INTEL-SA-00185)

Multiple potential security vulnerabilities in Intel® Converged Security and Management Engine (Intel® CSME), Server Platform Services (SPS), Trusted Execution Engine (TXE) and Intel® Active Management Technology (Intel® AMT) may allow users to potentially escalate privileges, disclose information or cause a denial of service. The detailed description of the vulnerabilities with high CVSS base scores is as follows:

  • Insufficient input validation in Intel® AMT in Intel® CSME before version 11.8.60, 11.11.60, 11.22.60 or 12.0.20 may allow an unauthenticated user to potentially execute arbitrary code via physical access. (CVE-2018-12185)
  • Insufficient input validation in Intel® Active Management Technology (Intel® AMT) before version 11.8.60, 11.11.60, 11.22.60 or 12.0.20 may allow an unauthenticated user to potentially cause a temporary denial of service via network. (CVE-2018-12187)
  • Insufficient input validation in Intel® CSME subsystem before versions 11.8.60, 11.11.60, 11.22.60 or 12.0.20 or Intel® TXE before 3.1.60 or 4.0.10 may allow privileged user to potentially execute arbitrary code via local access. (CVE-2018-12190)
  • Insufficient access control in Intel Capability Licensing Service before version 1.50.638.1 may allow an unprivileged user to potentially escalate privileges via local access. (CVE-2018-12200)
  • Buffer overflow in HECI subsystem in Intel(R) CSME before versions 11.8.60, 11.11.60, 11.22.60 or 12.0.20 and Intel® TXE version before 3.1.60 or 4.0.10, or Intel(R) Server Platform Services before version 5.00.04.012 may allow an unauthenticated user to potentially execute arbitrary code via physical access. (CVE-2018-12208)

Potential Impact:

According to the information provided the potential impact of INTEL-SA-00185 is:

Denial of Service, Information Disclosure, Privilege Escalation

Intel® Firmware (UEFI) 2018.4 QSR Advisory(INTEL-SA-00191)

Multiple potential security vulnerabilities in Intel® firmware (UEFI) may allow for escalation of privilege, information disclosure or denial of service. The detailed description of the vulnerabilities with high CVSS base scores is as follows:

  • Privilege escalation vulnerability in Platform Sample/ Silicon Reference firmware Intel(R) Server Board, Intel(R) Server System and Intel(R) Compute Module may allow privileged user to potentially execute arbitrary code via local access. (CVE-2018-12204)
  • Privilege escalation vulnerability in Platform Sample/ Silicon Reference firmware for 8th Generation Intel(R) Core™ Processor, 7th Generation Intel(R) Core™ Processor may allow unauthenticated user to potentially execute arbitrary code via physical access. (CVE-2018-12205)

Potential Impact:
According to the information provided the potential impact of INTEL-SA-00191 is:

Denial of Service, Information Disclosure, Privilege Escalation

Intel® Processor Microcode (MCU) Updates

Multiple potential functional issues in Intel® processor microcode (MCU) may cause unpredictable system behavior, lead to a system hang or could result in a platform reset. The detailed description of the issues (no CVEs and no CVSS base scores – FUNCTIONAL issue) is as follows:

Broadwell E, EP, EP4S, EX; Skylake Server SP (H0, M0, U0); Skylake X, D, W; Haswell EX; Broadwell DE (A1, V1-3, Y0)

"TSX" - In a synthetic software environment, certain Intel Transactional Synchronization Extensions (TSX) functions may interact in ways that could result in unpredictable system behavior. This would only occur in extremely rare circumstances. Intel is not aware of any commercially available software exhibiting this behavior, and this is issue is not security-related. Intel is releasing a microcode(MCU) based workaround to prevent such hypothetical behavior.

Broadwell EP, EP4S, DE (V1-3, Y0); Haswell EX

"RCOMP" - An RCOMP and package C6 exit can lead to a system hang that results in machine check bank 4 status register bits 31:24 with a value of 0x09, 0x71, or 0x73. It is possible for BIOS to contain a workaround for this erratum.

Broadwell E, EP, EP4S, EX; Skylake Server SP (H0, M0, U0); Skylake X, D, W; Haswell EX, E/EP; Broadwell DE (A1, V1-3, Y0)

"MCE" - Addresses potential platform stability issues which could result in platform reset and MCE(IA32_MCi_STATUS.MSCOD=00FH), (IA32_MCI_ STATUS. MCACOD=0150H).

CVE Reference(INTEL-SA-00185, INTEL-SA-00191)

Intel® CSME, SPS, TXE and Intel® AMT 2018.4 QSR Advisory (INTEL-SA-00185)

CVE NumberCVSS Base Score
CVE-2018-121857.1 (High)
CVE-2018-121877.5 (High)
CVE-2018-121886.8 (Medium)
CVE-2018-121896.0 (Medium)
CVE-2018-121908.2 (High)
CVE-2018-121916.8 (Medium)
CVE-2018-121926.9 (Medium)
CVE-2018-121966.7 (Medium)
CVE-2018-121986.0 (Medium)
CVE-2018-121996.1 (Medium)
CVE-2018-122007.9 (High)
CVE-2018-122087.1 (High)

Intel® Firmware (UEFI) 2018.4 QSR Advisory (INTEL-SA-00191)

CVE NumberCVSS Base Score
CVE-2018-122015.7 (Medium)
CVE-2018-122025.7 (Medium)
CVE-2018-122032.3 (Low)
CVE-2018-122047.5 (High)
CVE-2018-122057.6 (High)

Links for Technical Details

Technical details of the potential security vulnerabilities and functional issues are documented online:

https://security-center.intel.com

Affection and Remediation

Affected Fujitsu Products

A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.

Affected Fujitsu products are listed below. For detailed information on the Fujitsu-approved remedy, please refer to the document Intel security vulnerabilities (INTEL-SA-00185 and INTEL-SA-00191).

INTEL Q4 QUARTERLY SECURITY ADVISORY

An overview of the affected Client Computing Devices (e.g. CELSIUS, ESPRIMO, FUTRO, LIFEBOOK, STYLISTIC) can be found here:

LIFEBOOK

Model Name
New Bios
( with Fix )
Bios
Release date
New ME
( with Fix )
ME
Release date
List of LIFEBOOK AH556
YES
TBD


List of LIFEBOOK AH556
YES
TBD


LIFEBOOK AH557
YES
TBD


LIFEBOOK E448 / E458
YES
CW28


LIFEBOOK E449 / E459
YES
CW28


LIFEBOOK E549
Done
From Beginning


LIFEBOOK E556/E546(Non-Vpro)


YES
CW24
LIFEBOOK E556/E546(Vpro)


YES
CW24
LIFEBOOK E557/E547(Non-Vpro)
YES
CW32


LIFEBOOK E557/E547(Vpro)
YES
CW32


LIFEBOOK E558/E548
YES
CW28


LIFEBOOK E559
Done
From Beginning


LIFEBOOK E736/E746/E756 (Non-Vpro)


YES
CW24
LIFEBOOK E736/E746/E756 (Vpro)


YES
CW24
LIFEBOOK P727
V1.16
Available


LIFEBOOK P728
V1.13
Available


LIFEBOOK S936


YES
CW24
LIFEBOOK S937
V1.11
Available


LIFEBOOK S938
YES
CW27


LIFEBOOK T726
V1.19
Available


LIFEBOOK T936
V1.19
Available


LIFEBOOK T937
V1.17
Available


LIFEBOOK T938
V1.12
Available


LIFEBOOK U727/U747/U757
YES
CW32


LIFEBOOK U727/U747/U757(6th gen.)
YES
CW32


LIFEBOOK U728/U748/U758
YES
CW27


LIFEBOOK U729/U749/U759
Done
From Beginning


LIFEBOOK U729X
Done
From Beginning


LIFEBOOK U937
V1.14
Available


LIFEBOOK U938
V1.17
Available


LIFEBOOK U939
Done
From Beginning


LIFEBOOK U939 ( W/TBT)
Done
From Beginning


LIFEBOOK U939X
Done
From Beginning


LIFEBOOK U939X ( W/TBT)
Done
From Beginning



STYLISTIC

Model Name
New Bios
( with Fix )
Bios
Release date
New ME
( with Fix )
ME
Release date
STYLISTIC Q616


YES
CW24
STYLISTIC Q736


YES
CW24
STYLISTIC Q738
V1.09
Available


STYLISTIC Q739
Done
From Beginning


STYLISTIC R726(Non-Vpro)
YES
TBD


STYLISTIC R726(Vpro)
YES
TBD



CELSIUS (Mobile)

Model Name
New Bios
( with Fix )
Bios
Release date
New ME
( with Fix )
ME
Release date
CELSIUS H760


YES
CW24
CELSIUS H770
YES
CW27


CELSIUS H780
V1.14
Available


CELSIUS H970
V1.15
CW32


*1: Dates are subject to change
*2: Please apply mentioned version or newer version.
*3. cw: calendar week

CELSIUS (WorkStation)
Please refer to the following site.
https://support.ts.fujitsu.com/content/Intel_SA185_SA191.asp?lng=COM
ESPRIMO (Desktop)
FUTRO (Thin-Client)

Recommended Steps for Remediation

Step 1: Determine whether you have an affected system.

Refer to the https://www.fujitsu.com/hk/support/products/computing/pc/ap/ . This list is updated regularly.
Before proceeding, please check the expected availability of the relevant BIOS update package.

Step 2: Download and install the BIOS update package.

To download and install the BIOS update package, please go to the http://www.fujitsu-pc-asia.com/driversupport/selectioninterface/selection.html and follow these steps:

  • Select "Product Type t" (button)
  • Select "Series "
  • Select "Model  and OS "
  • Select " BIOS ".
  • Download and install the latest BIOS update package

Step 3: Use the Intel-SA-00185 Detection Tool to verify that the issue has been remediated.

Remediation via Management Engine (ME) Update

Step 1: Determine whether you have an affected system.

Refer to the https://www.fujitsu.com/hk/support/products/computing/pc/ap/ . This list is updated regularly.
Before proceeding, please check the expected availability of the relevant ME update package.

Step 2: Download and install the BIOS update package.

To download and install the BIOS update package, please go to the http://www.fujitsu-pc-asia.com/driversupport/selectioninterface/selection.html and follow these steps:
  • Select "Product Type t" (button)
  • Select "Series "
  • Select "Model  and OS "
  • Select " BIOS ".
  • Download and install the latest ME Firmware package

Step 3: Preparation.

After downloading the .zip file, containing the ME Firmware Update Pack, extract all files/directories/subdirectories
in the Firmware.ME directory (\Firmware.ME) of the .zip file to the desired directory on the hard drive.

Step 4: ME Update Procedure.

The "Firmware.ME" directory contains the ME update files which can be used in Windows environment. Run "update.bat"
in Windows cmd environment with administrative privileges to start the ME flash procedure. Please choose 32-bit or 64-bit
directory if using a Windows 32-bit or a Windows 64-bit installation.

Hints:

  • To run the ME Update procedure using a Windows installation, it is necessary to have the Windows "HECI" driver installed. Please use the Intel(R) Active Management Technology Driver package for Windows.
  • To run the ME Update procedure using a Windows PE installation, it is necessary to have the Windows "HECI" driver installed. This can be done at runtime by "drvload.exe< Path to HECI.INF>\HECI.INF". The "HECI" driver can be extracted from the Intel(R) Active Management Technology Driver package for Windows.

Links for Software Security Updates

Vendor Fujitsu

LIFEBOOK : http://www.fujitsu-pc-asia.com/driversupport/selectioninterface/selection.html 

CELSIUS (WorkStation)/ESPRIMO (Desktop)/FUTRO (Thin-Client)  :  http://support.ts.fujitsu.com

Vendor Intel

https://security-center.intel.com/ 

Further Information

Contact Details

Should you require any further security-related assistance, please contact: fpca-hk.cs@hk.fujitsu.com

Legal Statement

Fujitsu does not manufacture the affected microprocessors, that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors.

Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects, resulting from customers’ use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.

Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites.

Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.