2019.2 INTEL PLATFORM UPDATE (IPU)

Intel 2019.2 IPU covering Intel® CSME, SPS, TXE, AMT, SGX, TXT & TSX updates, Intel® Firmware (BIOS) updates and Intel® Processor Microcode (MCU) updates

Fujitsu Communication

Original release: November 12, 2019

Advisory Description

Intel® CSME, SPS, TXE and Intel® AMT 2019.2 IPU Advisory(INTEL-SA-00241)

Multiple potential security vulnerabilities in Intel® Converged Security and Management Engine (Intel® CSME), Server Platform Services (Intel® SPS), Trusted Execution Engine (Intel® TXE) and Intel® Active Management Technology (Intel® AMT) may allow users to potentially cause a denial of service, disclose information or an escalation of privilege. The detailed description of the vulnerabilities with high or critical CVSS base scores is as follows:

  • Insufficient input validation in subsystem in Intel® AMT before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45 may allow an unauthenticated user to potentially enable a denial of service or information disclosure via adjacent access. (CVE-2019-0131)
  • A heap overflow in subsystem in Intel® CSME before versions 11.8.70, 11.11.70, 11.22.70, 12.0.50, Intel® TXE before versions 3.1.70 and 4.0.20 may allow an unauthenticated user to potentially enable an escalation of privileges, information disclosure or denial of service via adjacent access. (CVE-2019-0169)
  • Insufficient input validation in subsystem in Intel® AMT before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45 may allow an unauthenticated user to potentially enable an escalation of privilege via adjacent access. (CVE-2019-11088)
  • Improper directory permissions in the Installer for Intel® Management Engine Consumer Driver for Windows before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.0, 14.0.10, Intel® TXE before versions 3.1.70 and 4.0.20 may allow an authenticated user to potentially enable an escalation of privilege via local access. (CVE-2019-11097)
  • Insufficient input validation in firmware update Software for Intel® CSME before versions 12.0.45, 13.0.10 and 14.0.10 may allow an authenticated user to potentially enable an escalation of privilege via local access. (CVE-2019-11103)
  • Insufficient input validation in MEInfo Software for Intel® CSME before versions 11.8.70, 11.11.70, 11.22.70, 12.0.45, 13.0.10, 14.0.10; Intel® TXE before versions 3.1.70 and 4.0.20 may allow an authenticated user to potentially enable an escalation of privilege via local access. (CVE-2019-11104)
  • A logic issue in subsystem for Intel® CSME before versions 12.0.45, 13.0.10 and 14.0.10 may allow a privileged user to potentially enable escalation of privilege and information disclosure via local access. (CVE-2019-11105)
  • A logic issue in subsystem in Intel® AMT before versions 11.8.70, 11.11.70, 11.22.70 and 12.0.45 may allow an unauthenticated user to potentially enable an escalation of privilege via network access. (CVE-2019-11131)
  • Cross site scripting in subsystem in Intel® AMT before versions 11.8.70, 11.11.70, 11.22.70 and 12.0.45 may allow a privileged user to potentially enable an escalation of privilege via network access. (CVE-2019-11132)
  • Insufficient access control in the hardware abstraction driver for Intel® CSME MEInfo before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35, 13.0.10.1201, 14.0.10; TXEInfo software for Intel® TXE before versions 3.1.70 and 4.0.20, INTEL-SA-00086 Detection Tool version 1.2.7.0 or before, INTEL-SA-00125 Detection Tool version 1.0.45.0 or before may allow an authenticated user to potentially enable an escalation of privilege via local access. (CVE-2019-11147)

Potential Impact:

According to the information provided the potential impact of INTEL-SA-00241 is:

Denial of Service, Information Disclosure, Privilege Escalation

Intel® SGX and Intel® TXT 2019.2 IPU Advisory(INTEL-SA-00220)

Multiple potential security vulnerabilities in Intel® Software Guard Extensions (Intel® SGX) and Intel® Trusted Execution Technology (Intel® TXT) may allow users to potentially cause an escalation of privilege. The detailed description of the vulnerabilities with high or critical CVSS base scores is as follows:

  • Insufficient memory protection in Intel® 6th Generation Core™ Processors and greater supporting Intel® SGX may allow a privileged user to potentially enable escalation of privilege via local access. (CVE-2019-0123)
  • Insufficient memory protection in Intel® 6th Generation Core™ Processors and greater supporting Intel® TXT may allow a privileged user to potentially enable escalation of privilege via local access. (CVE-2019-0124)

Application providers may please refer to the originalIntel® SGX and TXT Advisoryas well as theIntel® SGX Attestation Technical Details, to determine whether they may need to implement changes to their SGX application for SGX attestation service, also including such solutions, which may utilize Remote Attestation (IAS).

Potential Impact:

According to the information provided the potential impact of INTEL-SA-00220 is:

Privilege Escalation

Intel® SGX with Intel® Processor Graphics 2019.2 IPU Advisory(INTEL-SA-00219)

A potential security vulnerability in Intel® Software Guard Extensions (Intel® SGX) with Intel® Processor Graphics may allow users to potentially disclose information. The detailed description of the vulnerability with medium, high or critical CVSS base score is as follows:

  • Insufficient access control in protected memory subsystem for Intel® Software Guard Extensions (Intel® SGX) for 6th, 7th, 8th, 9th Generation Intel® Core™ Processor Families, Intel® Xeon® Processor E3-1500 v5, v6 Families, and Intel® Xeon® E-2100 & E-2200 Processor Families, with Intel® Processor Graphics may allow a privileged user to potentially enable information disclosure via local access. (CVE-2019-0117)

Application providers may please refer to the originalIntel® SGX with Intel® Processor Graphics Update Advisoryas well as the Intel® SGX Attestation Technical Details, to determine whether they may need to implement changes to their SGX application for SGX attestation service, also including such solutions, which may utilize Remote Attestation (IAS).

Potential Impact:

According to the information provided the potential impact of INTEL-SA-00219 is:

Information Disclosure

Intel® Trusted Execution Technology 2019.2 IPU Advisory(INTEL-SA-00164)

A potential security vulnerability in Intel® Trusted Execution Technology (Intel® TXT) with Intel® Processor Graphics may allow users to potentially disclose information. The detailed description of the vulnerability with medium, high or critical CVSS base score is as follows:

  • Insufficient access control in protected memory subsystem for Intel® for 6th, 7th, 8th and 9th Generation Intel® Core™ Processor Families, Intel® Xeon® Processor E3-1500 v5 and v6 Families, Intel® Xeon® E-2100 and E-2200 Processor Families with Intel® Processor Graphics and Intel® TXT may allow a privileged user to potentially enable an information disclosure via local access.(CVE-2019-0184)

Potential Impact:

According to the information provided the potential impact of INTEL-SA-00164 is:

Information Disclosure

Intel® CPU Local Privilege Escalation 2019.2 IPU Advisory(INTEL-SA-00240)

Multiple potential security vulnerabilities in Intel® Trusted Execution Technology (Intel® TXT) may allow users to potentially cause an escalation of privilege. The detailed description of the vulnerabilities with high or critical CVSS base scores is as follows:

  • Insufficient memory protection in Intel® TXT for certain Intel® Core Processors and Intel® Xeon® Processors may allow a privileged user to potentially enable an escalation of privilege via local access. (CVE-2019-0151)
  • Insufficient memory protection in System Management Mode (SMM) and Intel® TXT for certain Intel® Xeon® Processors may allow a privileged user to potentially enable an escalation of privilege via local access. (CVE-2019-0152)

Potential Impact:

According to the information provided the potential impact of INTEL-SA-00240 is:

Information Disclosure

Intel® Firmware (BIOS) 2019.2 IPU Advisory(INTEL-SA-00280)

Multiple potential security vulnerabilities in Intel® firmware (BIOS) may allow users to potentially cause a denial of service, disclose information or an escalation of privilege. The detailed description of the vulnerabilities with high CVSS base scores is as follows:

  • Insufficient access control in system firmware for Intel® Xeon® Scalable Processors, 2nd Generation Intel® Xeon® Scalable Processors, Intel® Xeon® Processors D Family may allow a privileged user to potentially enable an escalation of privilege, denial of service and/or information disclosure via local access.(CVE-2019-11136)
  • Insufficient input validation in system firmware for Intel® Xeon® Scalable Processors, Intel® Xeon® Processors D Family, Intel® Xeon® Processors E5 v4 Family, Intel® Xeon® Processors E7 v4 Family, Intel® Atom® processor C Series may allow a privileged user to potentially enable an escalation of privilege, denial of service and/or information disclosure via local access. (CVE-2019-11137)

Potential Impact:

According to the information provided the potential impact of INTEL-SA-00280 is:

Information Disclosure

Intel® TSX Asynchronous Abort 2019.2 IPU Advisory(INTEL-SA-00270)

A potential security vulnerability in some Intel® CPUs may allow users to potentially disclose information. The detailed description of the vulnerability with medium, high or critical CVSS base score is as follows:

  • TSX Asynchronous Abort (TAA) condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.

The audience may please refer to the original TSX Asynchronous Abort Advisoryas well as the corresponding article Deep Dive: Intel® Transactional Synchronization Extensions (Intel® TSX) Asynchronous Abort, for additional technical details about "TAA" (Transactional Synchronization Extensions (TSX) Asynchronous Abort).

Potential Impact:

According to the information provided the potential impact of INTEL-SA-00270 is:

Information Disclosure

Intel® Voltage Modulation 2019.2 IPU Advisory(INTEL-SA-00271)

A potential security vulnerability in some Intel® CPUs may allow users to potentially cause a denial of service. The detailed description of the vulnerability with medium, high or critical CVSS base score is as follows:

  • Improper conditions check in the voltage modulation interface for some Intel® Xeon® Scalable Processors may allow a privileged user to potentially enable denial of service via local access.(CVE-2019-11139)

Potential Impact:

According to the information provided the potential impact of INTEL-SA-00271 is:

Information Disclosure

Intel® Processor Microcode (MCU) Updates 2019.2 IPU Advisory

Additionally, multiple potential functional issues (or erratum) in Intel® processor microcode (MCU) may lead to a) an incorrect overwrite of fill buffers affected by MDS (Microarchitectural Data Sampling), b) Spectre variant 2 (BTI) mitigations not being fully effective, c) systems exhibiting unpredictable system behavior executing instructions and d) allowing an attacker to access confidential SGX enclave data using side-channel methods.

The detailed description of the issues (no newly assigned CVEs; some FUNCTIONAL issue only) is as follows:

MD_CLEAR OPERATIONS: May Overwrite Fill Buffers With Data That is Not Constant

On processors that enumerate the MD_CLEAR CPUID bit, the VERW mem instruction will overwrite buffers affected by MDS (Microarchitectural Data Sampling). On processors also affected by this erratum, VERW may overwrite portions of the fill buffers with recently stored data rather than uniformly constant data.

Software using VERW to prevent MDS side channel methods from revealing previous accessed data may not prevent those side-channel methods from inferring the value stored by the most recent preceding stores to certain address offsets.

TA INDIRECT SHARING: STIBP, IBRS and IBPB May Not Function as Intended

Spectre variant 2 (Branch Target Injection) mitigations may not be fully effective in certain corner cases. This affects one or more of STIBP, IBRS and IBPB MSR bits. The "retpoline" mitigation technique is not affected. This also does not affect parts that are run with Hyper-Threading (HT) disabled.

SHUF: Unpredictable Behavior When Executing X87, AVX or Integer Divide Instructions

Under complex micro-architectural conditions, executing an X87 or AVX or integer divide instruction may result in unpredictable system behavior.

When this erratum occurs, the system may exhibit unpredictable system behavior. Intel has not observed this erratum with any commercially available software.

EGETKEY: SGX Key Confidentiality May be Compromised

Under complex micro-architectural conditions, it may be possible for the value of SGX keys to be inferred using side-channel methods.

If exposed, such keys could allow an attacker to access confidential SGX enclave data. Processors that do not support Hyper-Threading (HT) are not affected by this issue.

CVE Reference(INTEL-SA-00241,INTEL-SA-00220,INTEL-SA-00219,INTEL-SA-00164,INTEL-SA-00240,INTEL-SA-00280,INTEL-SA-00270,INTEL-SA-00271)

Intel® CSME, SPS, TXE and Intel® AMT 2019.2 IPU Advisory (INTEL-SA-00241)

CVE NumberCVSS Base Score
CVE-2019-01317.1 (High)
CVE-2019-01654.4 (Medium)
CVE-2019-01665.9 (Medium)
CVE-2019-01684.6 (Medium)
CVE-2019-01699.6 (Critical)
CVE-2019-110863.5 (Low)
CVE-2019-110876.4 (Medium)
CVE-2019-110887.5 (High)
CVE-2019-110906.8 (Medium)
CVE-2019-110977.3 (High)
CVE-2019-111006.1 (Medium)
CVE-2019-111014.4 (Medium)
CVE-2019-111024.1 (Medium)
CVE-2019-111037.3 (High)
CVE-2019-111047.3 (High)
CVE-2019-111057.9 (High)
CVE-2019-111064.4 (Medium)
CVE-2019-111075.3 (Medium)
CVE-2019-111082.3 (Low)
CVE-2019-111094.4 (Medium)
CVE-2019-111104.1 (Medium)
CVE-2019-111317.5 (High)
CVE-2019-111328.4 (High)
CVE-2019-111478.2 (High)

Intel® SGX and Intel® TXT 2019.2 IPU Advisory (INTEL-SA-00220)

CVE NumberCVSS Base Score
CVE-2019-01238.2 (High)
CVE-2019-01248.2 (High)

Intel® SGX with Intel® Processor Graphics 2019.2 IPU Advisory (INTEL-SA-00219)

CVE NumberCVSS Base Score
CVE-2019-01176.0 (Medium)

Intel® Trusted Execution Technology 2019.2 IPU Advisory (INTEL-SA-00164)

CVE NumberCVSS Base Score
CVE-2019-01846.0 (Medium)

Intel® CPU Local Privilege Escalation 2019.2 IPU Advisory (INTEL-SA-00240)

CVE NumberCVSS Base Score
CVE-2019-01517.5 (High)
CVE-2019-01528.2 (High)

Intel® Firmware (BIOS) 2019.2 IPU Advisory (INTEL-SA-00280)

CVE NumberCVSS Base Score
CVE-2019-111367.5 (High)
CVE-2019-111377.5 (High)

Intel® TSX Asynchronous Abort 2019.2 IPU Advisory (INTEL-SA-00270)

CVE NumberCVSS Base Score
CVE-2019-111356.5 (Medium)

Intel® Voltage Modulation 2019.2 IPU Advisory (INTEL-SA-00271)

CVE NumberCVSS Base Score
CVE-2019-111395.8 (Medium)

Links for Technical Details

Technical details of the potential security vulnerabilities and functional issues are documented online:

https://security-center.intel.com

Affection and Remediation

Affected Fujitsu Products

A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched

Affected Fujitsu products are listed below. For detailed information on the Fujitsu-approved remedy, please refer to the document Intel security vulnerabilities (INTEL-SA-00241, INTEL-SA-00220, INTEL-SA-00219, INTEL-SA00164, INTEL-SA-00240, INTEL-SA-00280, INTEL-SA-00270 and INTEL-SA-00271).

An overview of the affected Client Computing Devices (e.g. CELSIUS, LIFEBOOK, STYLISTIC) can be found here:

This page will be updated regularly as soon as new information is available. Besides a list of affected systems, also more detailed advice will follow.

LIFEBOOK

Model Name
New Bios
( with Fix )
Bios
Release date
List of LIFEBOOK AH556-UMA
V1.28
TBD
List of LIFEBOOK AH556-VGA
V1.28
TBD
LIFEBOOK AH557
V1.21
TBD
LIFEBOOK E448 / E458
V1.17
TBD
LIFEBOOK E449 / E459
V1.05
TBD
LIFEBOOK E549
V2.13
TBD
LIFEBOOK E556/E546(Non-Vpro)
V1.33
TBD
LIFEBOOK E556/E546(Vpro)
V1.24
TBD
LIFEBOOK E557/E547(Non-Vpro)
V1.14
TBD
LIFEBOOK E557/E547(Vpro)
V1.18
TBD
LIFEBOOK E558/E548
V1.17
TBD
LIFEBOOK E559
V2.13
TBD
LIFEBOOK E736/E746/E756 (Non-Vpro)
V1.36
TBD
LIFEBOOK E736/E746/E756 (Vpro)
V1.27
TBD
LIFEBOOK P727
V1.18
TBD
LIFEBOOK P728
V1.15
TBD
LIFEBOOK S935
V1.20
TBD
LIFEBOOK S936
V1.23
TBD
LIFEBOOK S937
V2.07
TBD
LIFEBOOK S938
V1.15
TBD
LIFEBOOK T725
V1.22
TBD
LIFEBOOK T726
V1.21
TBD
LIFEBOOK T935
V1.22
TBD
LIFEBOOK T936
V1.21
TBD
LIFEBOOK T937
V1.19
TBD
LIFEBOOK T938
V2.10
TBD
LIFEBOOK U536
V1.20
TBD
LIFEBOOK U727/U747/U757
V1.24
TBD
LIFEBOOK U727/U747/U757(6th gen.)
V1.12
TBD
LIFEBOOK U728/U748/U758
V1.20
TBD
LIFEBOOK U729/U749/U759
V2.16
TBD
LIFEBOOK U729X
V2.11
TBD
LIFEBOOK U745
V1.25
TBD
LIFEBOOK U937
V1.16
TBD
LIFEBOOK U938
V1.20
TBD
LIFEBOOK U939
V1.15
TBD
LIFEBOOK U939 ( W/TBT)
V2.12
TBD
LIFEBOOK U939X
V2.10
TBD
LIFEBOOK U939X ( W/TBT)
V2.12
TBD

STYLISTIC

Model Name
New Bios
( with Fix )
Bios
Release date
STYLISTIC Q509
V1.21
TBD
STYLISTIC Q616
V1.17
TBD
STYLISTIC Q665
V1.19
TBD
STYLISTIC Q775
V1.23
TBD
STYLISTIC Q736
V1.20
TBD
STYLISTIC Q737
V1.17
TBD
STYLISTIC Q738
V1.11
TBD
STYLISTIC Q739
V2.09
TBD
STYLISTIC R726(Non-Vpro)
V1.24
TBD
STYLISTIC R726(Vpro)
V1.24
TBD

CELSIUS (Mobile)

Model Name
New Bios
( with Fix )
Bios
Release date
CELSIUS H760
V1.29
TBD
CELSIUS H770
V1.18
TBD

*1: Dates are subject to change
*2: Please apply mentioned version or newer version.
*3. cw: calendar week / TBD : to be defined

CELSIUS (WorkStation)
Please refer to the following site.
https://support.ts.fujitsu.com/content/Intel_SA22X_SA24X_SA164_SA27X_SA280.asp?lng=COM
ESPRIMO (Desktop)
FUTRO (Thin-Client)

Recommended Steps for Remediation

Remediation via BIOS Update

Step 1: Determine whether you have an affected system.

Refer to the https://www.fujitsu.com/hk/support/products/computing/pc/ap/ . This list is updated regularly.
Before proceeding, please check the expected availability of the relevant BIOS update package.

Step 2: Download and install the BIOS update package.

To download and install the BIOS update package, please go to the http://www.fujitsu-pc-asia.com/driversupport/selectioninterface/selection.htmland follow these steps:

  • Select "Product Type t" (button)
  • Select "Series "
  • Select "Model and OS "
  • Select " BIOS "
  • Download and install the latest BIOS update package

Step3: Use the Intel-SA-00185 Detection Tool to verify that the issue has been remediated.

Remediation via Management Engine (ME) Update

Updating the ME firmware is an alternative to updating the BIOS and used when a BIOS update is not planned. However, it may only be available for some specific Client Computing Devices.

Step 1: Determine whether you have an affected system.

Refer to the https://www.fujitsu.com/hk/support/products/computing/pc/ap/. This list is updated regularly.
Before proceeding, please check the expected availability of the relevant ME update package.

Step 2: Download and install the BIOS update package.

To download and install the BIOS update package, please go to the http://www.fujitsu-pc-asia.com/driversupport/selectioninterface/selection.htmland follow these steps:

  • Select "Product Type t" (button)
  • Select "Series "
  • Select "Model and OS "
  • Select " BIOS "
  • Download and install the latest ME Firmware package

Step 3: Preparation.

After downloading the .zip file, containing the ME Firmware Update Pack, extract all files/directories/subdirectories in the Firmware.ME directory (\Firmware.ME) of the .zip file to the desired directory on the hard drive.

Step 4: ME Update Procedure.

The "Firmware.ME" directory contains the ME update files which can be used in Windows environment. Run "update.bat" in Windows cmd environment with administrative privileges to start the ME flash procedure. Please choose 32-bit or 64-bit directory if using a Windows 32-bit or a Windows 64-bit installation.

Hints:

  • To run the ME Update procedure using a Windows installation, it is necessary to have the Windows "HECI" driver installed. Please use the Intel(R) Active Management Technology Driver package for Windows.
  • To run the ME Update procedure using a Windows PE installation, it is necessary to have the Windows "HECI" driver installed. This can be done at runtime by "drvload.exe< Path to HECI.INF>\HECI.INF". The "HECI" driver can be extracted from the Intel(R) Active Management Technology Driver package for Windows.

Links for Software Security Updates

Vendor Fujitsu

LIFEBOOK : http://www.fujitsu-pc-asia.com/driversupport/selectioninterface/selection.html

CELSIUS (WorkStation)/ESPRIMO (Desktop)/FUTRO (Thin-Client) : http://support.ts.fujitsu.com

Vendor Intel

https://security-center.intel.com/

Further Information

Contact Details

Should you require any further security-related assistance, please contact: fpca-hk.cs@hk.fujitsu.com

Legal Statement

Fujitsu does not manufacture the affected microprocessors, that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors.

Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects, resulting from customers’ use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.

Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites.

Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.