Intel® 2019.1 Quarterly Security Release

Intel 2019.1 QSR covering Intel® CSME, SPS, TXE, & AMT updates, Intel® Firmware (UEFI) updates and Intel® Processor Microcode (MCU) updates

Fujitsu Communication

Original release: May 15, 2019

Advisory Description

Intel® CSME, SPS, TXE and Intel® AMT 2019.1 QSR Advisory(INTEL-SA-00213)

Multiple potential security vulnerabilities in Intel® Converged Security and Management Engine (Intel® CSME), Server Platform Services (SPS), Trusted Execution Engine (TXE) and Intel® Active Management Technology (Intel® AMT) may allow users to potentially cause a denial of service, disclose information or an escalation of privilege. The detailed description of the vulnerabilities with high or critical CVSS base scores is as follows:

An insufficient access control vulnerability in Intel® Dynamic Application Loader software for Intel® CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel® TXE 3.1.65, 4.0.15 may allow an unprivileged user to potentially enable an escalation of privilege via local access. (CVE-2019-0086)

An improper data sanitization vulnerability in subsystem in Intel® Server Platform Services before versions SPS_E5_04.00.04.381.0, SPS_E3_04.01.04.054.0, SPS_SoC-A_04.00.04.181.0, and SPS_SoC-X_04.00.04.086.0 may allow a privileged user to potentially enable an escalation of privilege via local access. (CVE-2019-0089)

An insufficient access control vulnerability in subsystem for Intel® CSME before version 12.0.35, Intel® Server Platform Services before version SPS_E3_05.00.04.027.0 may allow an unauthenticated user to potentially enable an escalation of privilege via physical access. (CVE-2019-0090)

A buffer overflow in subsystem in Intel® CSME before version 12.0.35 may allow an unauthenticated user to potentially enable an escalation of privilege via network access. (CVE-2019-0153)

A buffer overflow in subsystem in Intel® DAL (Dynamic Application Loader) before version 12.0.35 may allow a privileged user to potentially enable an escalation of privilege via local access. (CVE-2019-0170)

Potential Impact:

According to the information provided the potential impact of INTEL-SA-00213 is:

Denial of Service, Information Disclosure, Privilege Escalation

Intel® Processor Microcode (MCU) Updates(INTEL-SA-00233)

Multiple potential security vulnerabilities in Intel® processor microcode (MCU) may allow information disclosure. The detailed description of the vulnerabilities, known as Microarchitectural Data Sampling (MDS) or "ZombieLoad", with medium or high CVSS base scores is as follows:

  • Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. (CVE-2018-12126)
  • Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. (CVE-2018-12127)
  • Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. (CVE-2018-12130)

MCUs will work in conjunction with updates to Operating System (OS) and Virtual Machine Manage (VMM) software provided by others. Where utilized, Intel® SGX attestation services will report whether the MCU update is applied, beginning June 11, 2019.

Potential Impact:

According to the information provided the potential impact of INTEL-SA-00233 is:

Information Disclosure

Additionally, multiple potential functional issues in Intel® processor microcode (MCU) may cause unpredictable system behavior, platform stability problems or could result in a platform reset. The detailed description of the issues (no CVEs and no CVSS base scores – FUNCTIONAL issue) is as follows:

Amber Lake Y; Broadwell H,U,Y; Coffee Lake H,S,U; KabyLake G,H,S,U,X,Y,RU; Skylake H,S,U/Y,X; Whiskey Lake U

Under complex microarchitectural conditions, software using Intel® TSX (Transactional Synchronization Extensions) may result in unpredictable system behavior. Intel® has only seen this under synthetic testing conditions. Intel® is not aware of any commercially available software exhibiting this behavior.

Amber Lake Y; Broadwell H,U,Y; Coffee Lake H,S,U; Haswell H,U; KabyLake G,H,S,U,X,Y,RU; Skylake H,S,U/Y,X; Whiskey Lake U

"MCE" - Addresses potential platform stability issues which could result in platform reset and MCE (IA32_MCi_STATUS.MSCOD=00FH), (IA32_MCI_ STATUS. MCACOD=0150H).

CVE Reference(INTEL-SA-00213INTEL-SA-00223INTEL-SA-00233)

Intel® CSME, SPS, TXE and Intel® AMT 2019.1 QSR Advisory (INTEL-SA-00213)

CVE NumberCVSS Base Score
CVE-2019-00867.8 (High)
CVE-2019-00898.1 (High)
CVE-2019-00907.1 (High)
CVE-2019-00916.6 (Medium)
CVE-2019-00926.8 (Medium)
CVE-2019-00932.3 (Low)
CVE-2019-00944.3 (Medium)
CVE-2019-00966.7 (Medium)
CVE-2019-00974.9 (Medium)
CVE-2019-00985.7 (Medium)
CVE-2019-00995.7 (Medium)
CVE-2019-01539.0 (Critical)
CVE-2019-01708.2 (High)

Intel® Intel® Firmware (UEFI) 2019.1 QSR Advisory (INTEL-SA-00223)

CVE NumberCVSS Base Score
CVE-2019-01195.7 (Medium)
CVE-2019-01205.3 (Medium)
CVE-2019-01267.2 (High)

Intel® Processor Microcode (MCU) Updates (INTEL-SA-00233)

CVE NumberCVSS Base Score
CVE-2018-121266.5 (Medium)
CVE-2018-121276.5 (Medium)
CVE-2018-121306.5 (Medium)
CVE-2019-110913.8 (Low)

Links for Technical Details

Technical details of the potential security vulnerabilities and functional issues are documented online:

https://security-center.intel.com

Affected Fujitsu Products

Affected Fujitsu Products A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.

In an effort to continuously improve the robustness of the Intel® products, Intel has performed a security review with the objective of continuously enhancing firmware resilience.

Affected Fujitsu products are listed below. For detailed information on the Fujitsu-approved remedy, please refer to the document Intel security vulnerabilities (INTEL-SA-00213, INTEL-SA-00223 and INTEL-SA-00233).

LIFEBOOK

Model Name
New Bios
( with Fix )
Bios
Release date
List of LIFEBOOK AH556TBDTBD
List of LIFEBOOK AH556TBDTBD
LIFEBOOK AH557TBDTBD
LIFEBOOK E448 / E458TBDCW28
LIFEBOOK E449 / E459TBDCW28
LIFEBOOK E549V2.07CW24
LIFEBOOK E556/E546(Non-Vpro)TBDCW40
LIFEBOOK E556/E546(Vpro)TBDCW40
LIFEBOOK E557/E547(Non-Vpro)TBDCW32
LIFEBOOK E557/E547(Vpro)TBDCW32
LIFEBOOK E558/E548YESCW28
LIFEBOOK E559V2.07CW24
LIFEBOOK E736/E746/E756 (Non-Vpro)TBDCW40
LIFEBOOK E736/E746/E756 (Vpro)TBDCW40
LIFEBOOK P727TBDCW32
LIFEBOOK P728TBDCW35
LIFEBOOK S936TBDCW40
LIFEBOOK S937TBDCW32
LIFEBOOK S938TBDCW35
LIFEBOOK T726TBDCW40
LIFEBOOK T936TBDCW40
LIFEBOOK T937TBDCW32
LIFEBOOK T938TBDCW32
LIFEBOOK U727/U747/U757TBDCW32
LIFEBOOK U727/U747/U757(6th gen.)TBDCW32
LIFEBOOK U728/U748/U758TBDCW35
LIFEBOOK U729/U749/U759V2.09CW24
LIFEBOOK U729XV2.05CW24
LIFEBOOK U937TBDCW35
LIFEBOOK U938TBDCW35
LIFEBOOK U939V2.04CW24
LIFEBOOK U939 ( W/TBT)V2.05CW24
LIFEBOOK U939XV2.04CW24
LIFEBOOK U939X ( W/TBT)V2.05CW24

STYLISTIC

Model Name
New Bios
( with Fix )
Bios
Release date
STYLISTIC Q616TBDCW37
STYLISTIC Q736TBDCW37
STYLISTIC Q738V1.09CW35
STYLISTIC Q739V2.04CW24
STYLISTIC R726(Non-Vpro)TBDTBD
STYLISTIC R726(Vpro)TBDTBD

CELSIUS (Mobile)

Model Name
New Bios
( with Fix )
Bios
Release date
CELSIUS H760TBDCW35
CELSIUS H770TBDCW35
CELSIUS H780V1.15CW33
CELSIUS H970V1.15CW33

*1: Dates are subject to change
*2: Please apply mentioned version or newer version.
*3. cw: calendar week / TBD : to be defined

CELSIUS (WorkStation)
Please refer to the following site.
https://support.ts.fujitsu.com/content/Intel_SA185_SA191.asp?lng=COM
ESPRIMO (Desktop)
FUTRO (Thin-Client)

Recommended Steps for Remediation

Remediation via BIOS Update

Step 1: Determine whether you have an affected system.

Refer to the https://www.fujitsu.com/hk/support/products/computing/pc/ap/ . This list is updated regularly.
Before proceeding, please check the expected availability of the relevant BIOS update package.

Step 2: Download and install the BIOS update package.

To download and install the BIOS update package, please go to the http://www.fujitsu-pc-asia.com/driversupport/selectioninterface/selection.html and follow these steps:

  • Select "Product Type t" (button)
  • Select "Series "
  • Select "Model  and OS "
  • Select " BIOS ".
  • Download and install the latest BIOS update package

Step 3: Use the Intel-SA-00185 Detection Tool to verify that the issue has been remediated.

Remediation via Management Engine (ME) Update

Step 1: Determine whether you have an affected system.

Refer to the https://www.fujitsu.com/hk/support/products/computing/pc/ap/ . This list is updated regularly.
Before proceeding, please check the expected availability of the relevant ME update package.

Step 2: Download and install the BIOS update package.

To download and install the BIOS update package, please go to the http://www.fujitsu-pc-asia.com/driversupport/selectioninterface/selection.html and follow these steps:
  • Select "Product Type t" (button)
  • Select "Series "
  • Select "Model  and OS "
  • Select " BIOS ".
  • Download and install the latest ME Firmware package

Step 3: Preparation.

After downloading the .zip file, containing the ME Firmware Update Pack, extract all files/directories/subdirectories
in the Firmware.ME directory (\Firmware.ME) of the .zip file to the desired directory on the hard drive.

Step 4: ME Update Procedure.

The "Firmware.ME" directory contains the ME update files which can be used in Windows environment. Run "update.bat"
in Windows cmd environment with administrative privileges to start the ME flash procedure. Please choose 32-bit or 64-bit
directory if using a Windows 32-bit or a Windows 64-bit installation.

Hints:

  • To run the ME Update procedure using a Windows installation, it is necessary to have the Windows "HECI" driver installed. Please use the Intel(R) Active Management Technology Driver package for Windows.
  • To run the ME Update procedure using a Windows PE installation, it is necessary to have the Windows "HECI" driver installed. This can be done at runtime by "drvload.exe< Path to HECI.INF>\HECI.INF". The "HECI" driver can be extracted from the Intel(R) Active Management Technology Driver package for Windows.

Links for Software Security Updates

Vendor Fujitsu

LIFEBOOK : http://www.fujitsu-pc-asia.com/driversupport/selectioninterface/selection.html 

CELSIUS (WorkStation)/ESPRIMO (Desktop)/FUTRO (Thin-Client)  :  http://support.ts.fujitsu.com

Vendor Intel

https://security-center.intel.com/ 

Further Information

Contact Details

Should you require any further security-related assistance, please contact: fpca-hk.cs@hk.fujitsu.com

Legal Statement

Fujitsu does not manufacture the affected microprocessors, that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors.

Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects, resulting from customers’ use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.

Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites.

Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.