Product Support

DOWNLOAD BASKET

DOWNLOADS

CONTACTS

PRODUCT SUPPORT

COMMUNITY & INFO

WARRANTY

PRODUCT SECURITY

MySupport

Important information - Javascript inactiv

	The current safety settings of your browser limit the execution of certain elements of this site. To offer the best possible support and to make the navigation on our site as convenient as possible for you it is mandatory to accept JavaScript in the settings of your browser. To receive a flawless presentation please follow these instructions.
	Mozilla Firefox
	In the address bar, type "about:config" (with no quotes), and press Enter. Click "I'll be careful, I promise" In the search bar, search for "javascript.enabled" (with no quotes). Right click or double click the result named "javascript.disabled" and change to "enabled". JavaScript is now enabled.

Product Security

Fujitsu PSIRT

Contact Details

Security Advisories

Security Notices

Policy Statement

Fujitsu PSIRT — Security Advisories (2023)

2023.3 INTEL PLATFORM UPDATE (IPU)

Intel 2023.3 IPU covering Intel® Chipset Firmware (CSME, AMT & ISM) updates, Intel® Firmware (BIOS) updates, Intel® Processor Microcode (MC) updates

Fujitsu Communication

Original release:	August 8, 2023
Last update:	N/A
Fujitsu PSIRT ID:	ISS-IS-2023-031500

Advisory Description

INTEL-SA-00783: 2023.3 IPU – Intel® Chipset Firmware (CSME, AMT & ISM) Advisory

Potential security vulnerabilities in the Intel® Converged Security and Management Engine (Intel® CSME), Intel® Active Management Technology (Intel® AMT) and Intel® Standard Manageability (ISM) may allow a denial of service or an escalation of privilege. The detailed description of the vulnerabilities with a medium or high CVSS base score is as follows:

CVE-2022-36392: Improper input validation in some firmware for Intel® AMT and Intel® Standard Manageability before versions 11.8.94, 11.12.94, 11.22.94, 12.0.93, 14.1.70, 15.0.45, and 16.1.27 in Intel® CSME may allow an unauthenticated user to potentially enable denial of service via network access.
CVE-2022-38102: Improper Input validation in firmware for some Intel® Converged Security and Management Engine before versions 15.0.45, and 16.1.27 may allow a privileged user to potentially enable denial of service via local access.
CVE-2022-29871: Improper access control in the Intel® CSME software installer before version 2306.4.10.0 [Intel publication: 2239.3.7.0] may allow an authenticated user to potentially enable escalation of privilege via local access.

Potential Impact: According to the information provided the potential impact of INTEL-SA-00783 is:
Denial of Service, Privilege Escalation

INTEL-SA-00813: 2023.3 IPU – Intel® Firmware (BIOS) Advisory

Potential security vulnerabilities in the BIOS firmware for some Intel® Processors may allow a denial of service, information disclosure or an escalation of privilege. The detailed description of the vulnerabilities with a medium or high CVSS base score is as follows:

CVE-2022-37343: Improper access control in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2022-44611: Improper input validation in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable escalation of privilege via adjacent access.
CVE-2022-38083: Improper initialization in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable information disclosure via local access.
CVE-2022-27879: Improper buffer restrictions in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable information disclosure via local access.
CVE-2022-43505: Insufficient control flow management in the BIOS firmware for some Intel® Processors may allow a privileged user to potentially enable denial of service via local access.

Potential Impact: According to the information provided the potential impact of INTEL-SA-00813 is:
Denial of Service, Information Disclosure, Privilege Escalation

INTEL-SA-00828: 2023.3 IPU – Intel® Processor (MC) Advisory

A potential security vulnerability in some Intel® Processors may allow information disclosure. The detailed description of the vulnerability with a medium CVSS base score is as follows:

CVE-2022-40982: Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access.

The audience may please refer to further publications by manufacturer Intel® on the 2023.3 IPU – Intel® Processor (MC) Advisory, such as the corresponding article Intel® Gather Data Sampling [Technical Paper], Intel® Threat Analysis Guidance for Gather Data Sampling and Intel® Gather Data Sampling Mitigation Performance Analysis, for additional details about GDS ("Downfall").

Intel informed, that an SGX TCB recovery is required and planned for August 2023, and that Intel document Intel® Q1 2023 Intel Software Guard Extensions Trusted Computing Base Recovery Guidance was updated with technical details. Also, the released microcode to mitigate INTEL-SA-00828 is OS loadable for non Intel® Software Guard Extension (SGX) customers.

Customers may please refer to the original Intel® Processor Advisory, the Intel® SGX Attestation Technical Details as well as the Intel® Microcode Update Guidance and Intel® Loading Microcode from the OS document, to inform themselves on Intel attestation technology and the microcode update (MCU) process in connection with this Intel PSIRT Security Advisory.

Potential Impact: According to the information provided the potential impact of INTEL-SA-00828 is:
Information Disclosure

INTEL-SA-00836: 2023.3 IPU – Intel® Xeon® Scalable Processors (MC) Advisory

A potential security vulnerability in some 3rd Generation Intel® Xeon® Scalable processors may allow information disclosure. The detailed description of the vulnerability with a medium CVSS base score is as follows:

CVE-2023-23908: Improper access control in some 3rd Generation Intel® Xeon® Scalable processors may allow a privileged user to potentially enable information disclosure via local access.

Customers may please refer to the original Intel® Xeon® Scalable Processors (MC) Advisory, the Intel® Microcode Update Guidance and Intel® Loading Microcode from the OS document, to inform themselves on the Intel microcode update (MCU) process in connection with this Intel PSIRT Security Advisory.

Potential Impact: According to the information provided the potential impact of INTEL-SA-00836 is:
Information Disclosure

INTEL-SA-00837: 2023.3 IPU – Intel® Xeon® Processor (MC) Advisory

A potential security vulnerability in some Intel® Xeon® Processors with Intel® Software Guard Extensions (Intel® SGX) or Intel® Trust Domain Extension (Intel® TDX) may allow an escalation of privilege. The detailed description of the vulnerability with a high CVSS base score is as follows:

CVE-2022-41804: Unauthorized error injection in Intel® SGX or Intel® TDX for some Intel® Xeon® Processors which may allow a privileged user to potentially enable escalation of privilege via local access.

Intel informed, that an SGX TCB recovery is required and planned for August 2023, and that Intel document Intel® Q1 2023 Intel Software Guard Extensions Trusted Computing Base Recovery Guidance was updated with technical details. Also, for 3rd Gen. Intel® Xeon® Scalable Processor family and Intel® Xeon® D Processors, under certain conditions the BIOS must be updated as well to avoid system hang.

Customers may please refer to the original Intel® Xeon® Processor Advisory, the Intel® SGX Attestation Technical Details as well as the Intel® Microcode Update Guidance and Intel® Loading Microcode from the OS document, to inform themselves on Intel attestation technology and the microcode update (MCU) process in connection with this Intel PSIRT Security Advisory.

Potential Impact: According to the information provided the potential impact of INTEL-SA-00837 is:
Privilege Escalation

2023.3 IPU – Intel® Processor Microcode (MC) Updates (MCU)

Additionally, multiple functional updates took place in Intel® Processor Microcode (MC), affecting products / architectures ADL/-P, CFL, CLX-AP/B1/W/X, CML/-T, GLF, ICL-P, JCB, MHL/-R, PLR, PRL, SKL-H0, SNR, TGL, WKL, et.al. referring to:

Control-Flow Enforcement Technology: Complex Shadow Stacks: Intel's Control-Flow Enforcement Technology (CET) introduces the concept of a shadow stack; when configured to do so, the CPU uses shadow stacks to ensure the correctness of certain control-flow transfers. Under certain conditions, a fracturing can happen where a shadow stack update was not completed. Fractured shadow stack updates may not be expected by software and may lead to unexpected behavior. (ADL, PRL, TGL)
Time Stamp Counter (TSC) May Report An Incorrect Value: Under complex micro-architectural conditions, Intel has identified that the Time-Stamp Counter (TSC) may incorrectly report the time [by] approximately 2 minutes or 3 minutes, depending on crystal clock frequency, behind the actual time when exiting C6 power saving state. The TSC will typically correct itself on the following C6 exit. (ADL-P)
Microcode Update Minimum Runtime Update Revision: Beginning with Linux kernel 5.19. Linux will no longer enable runtime loading of Microcode Updates (MCU) by default.
Warlock ML Flicker on certain LCD: Update to Pcode, to utilize a voltage value updated, to reduce flicker on certain implementations for eDP displays, associated with a voltage supply to a PLL circuit. (ADL)
Resolve Potential System Hang due to CMD Parity Error Injection on PCIE RP: Injecting an uncorrectable error which is not fatal, is causing a system hang, and causes a TOR TO and requires a warm reset. Correcting a Pcode Sequence Execution to resolve. (JCB, SNR)
Correcting Certain Turbo Ratio Limit MSRs Settings: During OS patch load, certain mask registers are getting cleared by Pcode inadvertently. (ICL-P)
Highest Performance Reported on MSR while TURBO is Disabled: Correcting reporting capability of MSR containing information on ratio proper clipping at the P1 value. (ICL-P)
Correcting for a TRL Clipping Value due to Data Segment Mishandle: TRL clipping value under certain conditions could lead to a constrained performance with a ratio that is too low, or possible electrical issues with a ratio that is too high. (CLX-AP/B1/W/X, GLF, PLR)
Deprecation of Platform Firmware Resiliency (PFR) MSR 0x60: Patch resource savings by removing unused features on MSR 0x60 for Purley Skylake-H0. (SKL-H0)
RRSBA Enumeration Update: Intel is providing microcode updates (MCU) to enumerate RRSBA on processors with RRSBA behavior. (AML, CFL, CML/-T, MHL-R, WKL)
Asynchronous Enclave Exit Notify (AEX-Notify) and the EDECCSSA User Leaf Function Architectural Enhancement: Asynchronous Enclave Exit Notify (AEX-Notify) is an architectural extension to Intel® SGX that allows SGX enclaves to be notified after an asynchronous enclave exit (AEX) has occurred. This mechanism can be used by enclave software to react to interrupts and exceptions by, for example, applying a mitigation. EDECCSSA is a new Intel SGX user leaf function that can facilitate AEX notification handling, as well as software exception handling. (MHL et.al.)

Intel informed, that regarding the Microcode Update Minimum Runtime Update Revision-issue it is working with the [Linux] kernel maintainers to re-enable if the MCU provides an indication that the update is suitable for runtime update; Intel further recommends customers assess the potential impact of transitioning to Linux kernel 5.19 [or later versions].

Intel informed in its functional updates overview, that regarding the Asynchronous Enclave Exit Notify (AEX-Notify) and the EDECCSSA User Leaf Function Architectural Enhancement-issue it may also have security implications.

The audience may please refer to further publications by manufacturer Intel® on the 2023.3 IPU – Intel® Processor Microcode (MC) Updates (MCU), such as the corresponding Intel® White Paper: Asynchronous Enclave Exit Notify and the EDECCSSA User Leaf Function, for additional details about AEX-Notify.

There were no additional CVEs assigned to these FUNCTIONAL updates.

CVE Reference (INTEL-SA-00783, INTEL-SA-00813, INTEL-SA-00828, INTEL-SA-00836, INTEL-SA-00837)

INTEL-SA-00783: 2023.3 IPU – Intel® Chipset Firmware (CSME, AMT & ISM) Advisory

The description of the vulnerabilities with a medium or high CVSS base score is as follows:

CVE Number	CVSS Base Score
CVE-2022-36392	8.6 (High)
CVE-2022-38102	7.2 (High)
CVE-2022-29871	6.7 (Medium)

INTEL-SA-00813: 2023.3 IPU – Intel® Firmware (BIOS) Advisory

The description of the vulnerabilities with a medium or high CVSS base score is as follows:

CVE Number	CVSS Base Score
CVE-2022-37343	7.2 (High)
CVE-2022-44611	6.9 (Medium)
CVE-2022-38083	6.1 (Medium)
CVE-2022-27879	5.3 (Medium)
CVE-2022-43505	4.1 (Medium)

INTEL-SA-00828: 2023.3 IPU – Intel® Processor (MC) Advisory

The description of the vulnerability with a medium CVSS base score is as follows:

CVE Number	CVSS Base Score
CVE-2022-40982	6.5 (Medium)

INTEL-SA-00836: 2023.3 IPU – Intel® Xeon® Scalable Processors (MC) Advisory

The description of the vulnerability with a medium CVSS base score is as follows:

CVE Number	CVSS Base Score
CVE-2023-23908	6.0 (Medium)

INTEL-SA-00837: 2023.3 IPU – Intel® Xeon® Processor (MC) Advisory

The description of the vulnerability with a high CVSS base score is as follows:

CVE Number	CVSS Base Score
CVE-2022-41804	7.2 (High)

Links for Technical Details

Technical details of the potential security vulnerabilities and functional issues are documented online:
https://security-center.intel.com

Affection and Remediation

Affected Fujitsu Products

A number of Fujitsu products are affected by these vulnerabilities. Fujitsu is working to distribute updates for all affected products that are currently supported. Older systems that are no longer supported will not be updated.

An overview of the affected Client Computing Devices (e.g. CELSIUS, ESPRIMO, FUTRO, LIFEBOOK, STYLISTIC), Server products (PRIMERGY and PRIMEQUEST), Storage products (ETERNUS) and Server BS2000 products (SE, AU) can be found here:
List of affected Fujitsu products (APL)

This page will be updated regularly as soon as new information is available. Besides a list of affected systems, also more detailed advice will follow.

NOTE:
Necessary updates for certain Fujitsu Server products (PRIMERGY) will be issued along with the 2023.3 Intel Platform Update (IPU) in two update steps, in the 1st step only providing INTEL-SA-00828 (CPU GDS) mitigations and in the 2nd step providing INTEL-SA-00813 (BIOS), INTEL-SA-00836 (CPU) and INTEL-SA-00837 (CPU) mitigations.

Intel® Security Advisory INTEL-SA-00828 (CPU) unfortunately does have an up to 32% impact on high performance compute LAMMPS workload, when using Intel® oneAPI DPC++/C++ Compiler 2022.1 with xCORE-AVX512 base tuning, as described in the 2023.3 Intel® Platform Update Server Power & Performance Report document.

Intel® Security Advisories INTEL-SA-00690, INTEL-SA-00766, INTEL-SA-00794, INTEL-SA-00795, INTEL-SA-00826, INTEL-SA-00835, INTEL-SA-00846, INTEL-SA-00851, INTEL-SA-00875 and INTEL-SA-00897 are not part of this 2023.3 Intel Platform Update (IPU). The Fujitsu PSIRT already addressed these Intel® Security Advisories internally and will release Fujitsu PSIRT Security Notices, depending on the result of the final analysis.

Recommended Steps for Remediation

Remediation via BIOS Update
Step 1: Determine whether you have an affected system.

Refer to the list of affected Fujitsu products (APL). This list is updated regularly.
Before proceeding, please check the expected availability of the relevant BIOS update package.

Step 2: Download and install the BIOS update package.

To download and install the BIOS update package, please go to the Fujitsu Technical Support page and follow these steps:
• Select "Select a new Product" (button)
• Select "Browse for Product"
• Select "product line"
• Select "product group" and "product family".
• Download and install the latest BIOS update package

NOTE:
The BIOS update package usually contains an EfiFlashEfiUsage.txt, ReleaseNote.txt or ReadMe.txt file with specific instructions for the BIOS update.

Remediation via Management Engine (ME) Update
Updating the ME firmware is an alternative to updating the BIOS and used when a BIOS update is not planned. However, it may only be available for some specific Client Computing Devices.

Step 1: Determine whether you have an affected system.

Refer to the list of affected Fujitsu products (APL). This list is updated regularly.
Before proceeding, please check the expected availability of the relevant ME update package.

Step 2: Download the ME update package.

To download the ME update package, please go to the Fujitsu Technical Support page and follow these steps:
• Select "Select a new Product" (button)
• Select "Browse for Product"
• Select "product line"
• Select "product group" and "product family".
• Download and install the latest ME update package

Step 3: Preparation.

After downloading the .zip file, containing the ME Firmware Update Pack, extract all files/directories/subdirectories in the Firmware.ME directory (\Firmware.ME) of the .zip file to the desired directory on the hard drive.

Step 4: ME Update Procedure.

The "Firmware.ME" directory contains the ME update files which can be used in Windows environment. Run "update.bat" in Windows cmd environment with administrative privileges to start the ME flash procedure. Please choose 32-bit or 64-bit directory if using a Windows 32-bit or a Windows 64-bit installation.

NOTE:
To run the ME Update procedure using a Windows installation, it is necessary to have the Windows "HECI" driver installed. Please use the Intel® Active Management Technology (Intel® AMT) Driver Package for Windows.

To run the ME update procedure, using a Windows PE installation, it is necessary to have the Windows "HECI" driver installed. This can be done at runtime by executing "drvload.exe <path-to-HECI.INF>\HECI.INF". The "HECI" driver can be extracted from the Intel® Active Management Technology (Intel® AMT) Driver Package for Windows.

Links for Software Security Updates

Vendor Fujitsu
security.ts.fujitsu.com

Vendor Intel
security-center.intel.com

Further Information

Contact Details

Should you require any further security-related assistance, please contact: Fujitsu-PSIRT@ts.fujitsu.com.

Legal Statement

Fujitsu does not manufacture the affected microprocessors, that Fujitsu buys from third party suppliers and integrates into its products. Therefore, this communication is based on the information and recommendations Fujitsu has received from the third party suppliers of the affected microprocessors.

Fujitsu does not warrant that this communication is applicable or complete for all customers and all situations. Fujitsu recommends that customers determine the applicability of this communication to their individual situation and take appropriate measures. Fujitsu is not liable for any damages or other negative effects, resulting from customers' use of this communication. All details of this communication are provided "as is" without any warranty or guarantee. Fujitsu reserves the right to change or update this communication at any time.

Websites of other companies referred to in this communication are the sole responsibility of such other companies. Fujitsu does not assume any liability with respect to any information and materials provided by its suppliers, including on such websites.

Designations may be protected by trademarks and/or copyrights of Fujitsu or the respective owners, the use of which by third parties for their own purposes may infringe the rights of such owners.