Intel Q2 Security Update on Side-Channel Analysis Method Vulnerability

Intel Q2 Security Update on Side-Channel

(Spectre & Meltdown) Security Review

Fujitsu Communication

Latest Update: 21.05.2018

Reference: Security vulnerabilities of microprocessors (CVE-2018-3639,CVE-2018-3640,INTEL-SA-00115)

The vulnerability Variant 4 is a derivative of side channel methods previously disclosed in January. Like the other variants, Variant 4 uses speculative execution, a feature common to most modern processor architectures, to potentially expose certain kinds of data through a side channel. To ensure to offer the option for full mitigation and to prevent this method from being used in other ways, mitigation through a combination of microcode (MCU) and software updates is provided. This update also includes MCUs addressing Variant 3a (Rogue System Register Read), which was previously disclosed. These two MCUs were bundled together to streamline the process for customers. We continue to urge all customers to keep their systems up-to-date.

CVE Reference: (INTEL-SA-00115)

Side-Channel Analysis Method Q2 update

CVE Number
CVSS
Comment
CVE-2018-3639CVSS 4.3, MediumVariant 4: Microcode updates and operating system security patches are needed
CVE-2018-3640CVSS 4.3, MediumVariant 3a: Only microcode updates are needed

The microcode updates will also include other enhancements to assist software in the mitigation of potential future side-channel security vulnerabilities.

Impact:

According to the information provided the potential impact is:

CVE-2018-3639 – Speculative Store Bypass (SSB)

• Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.

CVE-2018-3640 – Rogue System Register Read (RSRE)

• Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis

Affected Fujitsu products:

A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute patches for all affected products that are currently supported. Older systems that are no longer supported will not be patched.

An overview of the affected Client Computing Devices can be found here:

LIFEBOOK
Model Name
Updated
BIOS Version
BIOS Release Date
OS update necessity

LIFEBOOK A532/AH532/AH562

TBD

TBD

Yes

LIFEBOOK AH544

TBD

TBD

Yes

LIFEBOOK AH552

TBD

TBD

Yes

LIFEBOOK AH555

TBD

TBD

Yes

LIFEBOOK AH556

TBD

TBD

Yes

LIFEBOOK AH557

TBD

TBD

Yes

LIFEBOOK CH702

TBD

TBD

Yes

LIFEBOOK E458/E448

TBD

Week 27 ~ 28

Yes

LIFEBOOK E554/E544

TBD

TBD

Yes

LIFEBOOK E556/E546(Non-Vpro)

TBD

TBD

Yes

LIFEBOOK E556/E546(Vpro)

TBD

TBD

Yes

LIFEBOOK E557/E547(Non-Vpro)

TBD

Week 29 ~ 30

Yes

LIFEBOOK E557/E547(Vpro)

TBD

Week 29 ~ 30

Yes

LIFEBOOK E558/E548

TBD

Week 27 ~ 28

Yes

LIFEBOOK E733/E743/E753

TBD

TBD

Yes

LIFEBOOK E734/E744/E754(Non-Vpro)

TBD

TBD

Yes

LIFEBOOK E734/E744/E754(Vpro)

TBD

TBD

Yes

LIFEBOOK E736/E746/E756(Non-Vpro)

TBD

TBD

Yes

LIFEBOOK E736/E746/E756(Vpro)

TBD

TBD

Yes

LIFEBOOK E782/E752

TBD

TBD

Yes

LIFEBOOK LH532

TBD

TBD

Yes

LIFEBOOK LH532
Discrete Graphics model

TBD

TBD

Yes

LIFEBOOK LH772

TBD

TBD

Yes

LIFEBOOK P702

TBD

TBD

Yes

LIFEBOOK P727

TBD

Week 29 ~ 30

Yes

LIFEBOOK P728

TBD

Week 27 ~ 28

Yes

LIFEBOOK P772

TBD

TBD

Yes

LIFEBOOK PH702

TBD

TBD

Yes

LIFEBOOK S762/S792(Non-Vpro)

TBD

TBD

Yes

LIFEBOOK S762/S792(Vpro)

TBD

TBD

Yes

LIFEBOOK S762/S792(Non-Vpro) Win8

TBD

TBD

Yes

LIFEBOOK S762/S792(Vpro) Win8

TBD

TBD

Yes

LIFEBOOK S762/S792/SH762/SH792
Discrete Graphics model

TBD

TBD

Yes

LIFEBOOK S762/S792/SH762/SH792
Discrete Graphics model Win8

TBD

TBD

Yes

LIFEBOOK S782/S752

TBD

TBD

Yes

LIFEBOOK S904

TBD

TBD

Yes

LIFEBOOK S935

TBD

TBD

Yes

LIFEBOOK S936

TBD

TBD

Yes

LIFEBOOK S937

TBD

Week 29 ~ 30

Yes

LIFEBOOK S938

TBD

Week 27 ~ 28

Yes

LIFEBOOK SH572/SH772

TBD

TBD

Yes

LIFEBOOK SH782

TBD

TBD

Yes

LIFEBOOK T725

TBD

TBD

Yes

LIFEBOOK T726

TBD

TBD

Yes

LIFEBOOK T732

TBD

TBD

Yes

LIFEBOOK T734(Non-Vpro)

TBD

TBD

Yes

LIFEBOOK T734(Vpro)

TBD

TBD

Yes

LIFEBOOK T902

TBD

TBD

Yes

LIFEBOOK T904

TBD

TBD

Yes

LIFEBOOK T935

TBD

TBD

Yes

LIFEBOOK T936

TBD

TBD

Yes

LIFEBOOK T937

TBD

Week 29 ~ 30

Yes

LIFEBOOK U536

TBD

TBD

Yes

LIFEBOOK U537

TBD

TBD

Yes

LIFEBOOK U727/U747/U757

TBD

Week 29 ~ 30

Yes

LIFEBOOK U727/U747/U757(6th gen.)

TBD

Week 29 ~ 30

Yes

LIFEBOOK U728/U748/U758

TBD

Week 27 ~ 28

Yes

LIFEBOOK U745

TBD

TBD

Yes

LIFEBOOK U772

TBD

TBD

Yes

LIFEBOOK U937

TBD

Week 29 ~ 30

Yes

LIFEBOOK U938

TBD

Week 27 ~ 28

Yes

LIFEBOOK UH554/UH574

TBD

TBD

Yes

LIFEBOOK UH572

TBD

TBD

Yes

LIFEBOOK UH572 Win8

TBD

TBD

Yes

STYLISTIC
Model Name
Updated
BIOS Version
BIOS Release Date
OS update necessity

STYLISTIC Q335

TBD

TBD

Yes

STYLISTIC Q506

TBD

TBD

Yes

STYLISTIC Q507

TBD

TBD

Yes

STYLISTIC Q508

TBD

TBD

Yes

STYLISTIC Q555

TBD

TBD

Yes

STYLISTIC Q584

TBD

TBD

Yes

STYLISTIC Q616

TBD

TBD

Yes

STYLISTIC Q665

TBD

TBD

Yes

STYLISTIC Q702

TBD

TBD

Yes

STYLISTIC Q704(Non-Vpro)

TBD

TBD

Yes

STYLISTIC Q704(Vpro)

TBD

TBD

Yes

STYLISTIC Q736

TBD

TBD

Yes

STYLISTIC Q737

TBD

Week 29 ~ 30

Yes

STYLISTIC Q775

TBD

TBD

Yes

STYLISTIC Q738

TBD

Week 27 ~ 28

Yes

STYLISTIC R726(Non-Vpro)

TBD

TBD

Yes

STYLISTIC R726(Vpro)

TBD

TBD

Yes

CELSIUS (Mobile)
Model Name
Updated
BIOS Version
BIOS Release Date
OS update necessity

CELSIUS H730

TBD

TBD

Yes

CELSIUS H760

TBD

TBD

Yes

CELSIUS H770

TBD

Week 29 ~ 30

Yes

CELSIUS H970

TBD

TBD

Yes

*1: Dates are subject to change
*2: Please apply mentioned version or newer version.

CELSIUS (WorkStation)Please refer to the following site.
ESPRIMO (Desktop)
FUTRO (Thin-Client)

This page will be updated regularly as soon as new information is available. Beside a list of affected systems, also more detailed advice will follow. In addition, Fujitsu highly recommends system owners ensure that systems are physically secured where possible, and follow good security practices to ensure that only authorized personnel have hands-on access to devices.

Technical Details:
Technical details of the exploits are documented online:

Fujitsu strongly advises all customers to update affected products. Updates are provided through an updated version of the BIOS and the necessary patches for the dedicated operating system.

Microcode Update via BIOS:

Fujitsu strongly advises all customers to update affected products. Updates are provided through an updated version of the BIOS and the necessary patches for the dedicated operating system.

Update via BIOS:

Step 1:
Determine whether you have an affected system.
Refer to the list of affected Fujitsu systems. This list is updated regularly.
Before proceeding, please check the expected availability of the relevant BIOS update package.

Step 2:
Download and install the BIOS update package.
To install and download the BIOS update package, please go to the Fujitsu support page and follow these steps:

1. Select “Product Type”.
2. Select “Series”.
3. Select “Model”.
4. Select “OS”.
5. Download the latest BIOS update package from the “BIOS” section and install it.

Selected links for operating system patches:

Note:

This is a non-binding communication that is not intended to create, and shall not be construed as creating, a legal obligation or commitment of Fujitsu or its suppliers. All details of this communication have been prepared with care, based on the information available to Fujitsu at the time of publication. However, all details of this communication are subject to error or change, depending on further findings. Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu assumes no liability with respect to the information provided on such websites. Designations may be trademarks and/or copyrights of Fujitsu or the respective companies, the use of which by third parties for their own purposes may infringe the rights of such owners.