Multiple Security Issues with Intel® Manycore Platform Software Stack (Intel® MPSS) release 3.x
This Security Bulletin discusses several security vulnerabilities that affect previous versions of Intel® Manycore Platform Software Stack (Intel® MPSS) release 3.x. Some stem from vulnerabilities in the 3rd-party OpenSSL library, which is built into the coprocessor OS. Others were discovered during internal testing of the Intel® Manycore Platform Software Stack (Intel® MPSS). Intel’s coprocessors are functioning within specification; this is a software implementation issue.
On June 5th 2014, OpenSSL.org published a Security Advisory reporting multiple vulnerabilities in OpenSSL. The majority of these are a new set of vulnerabilities discovered following the "heartbleed" issue. These vulnerabilities, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470 and CVE-2010-5298 affect a wide range of OpenSSL library versions. Intel® Xeon Phi™ coprocessor OS ships with an open-source OpenSSH component, which statically links a subset of OpenSSL library version 1.0.0.h that contains the above-mentioned vulnerabilities. Intel has followed the recommendation of the OpenSSL Security Advisory and upgraded OpenSSL code to version 1.0.0.m. This issue affects users of Intel® MPSS for both Linux and Windows. For more details see https://www.openssl.org/news/secadv_20140605.txt.
In addition, several undisclosed vulnerabilities were discovered during internal testing, and security enhancements were made to mitigate them. These vulnerabilities and enhancements are summarized as follows.
- An issue was found in the way Intel® MPSS code builds the file system for the coprocessor OS, which could lead to privilege escalation on the coprocessor OS.
- Race conditions were found in file system creation for the coprocessor OS. An malicious attacker could exploit these race conditions, which could potentially lead to privilege escalation on the coprocessor OS. Clusters that enforce a policy of disallowing users to be logged into the host during coprocessor OS boot are not affected by this issue.
- An issue was found in the MIC Control Panel GUI, which could lead to a corruption in the host file system.
- An issue was found in the runtime usage of COI that could lead to privilege escalation on the coprocessor OS.
- An issue was found in the “micctrl_passwd” command that could lead to privilege escalation on the host OS. This release patches this command – in future releases this command will be deprecated and we recommend the exclusive use of alternative methods to manage user logins, e.g., SSH keys.
Issues 1, 2, 4, 5 affect only users of Intel® MPSS for Linux*, and users of Intel® MPSS for Windows are not affected. Issue 3 affects users of Intel® MPSS for both Linux and Windows.
“Attacker” in this description means an unprivileged user with valid credentials on both the host that contains Intel® Xeon Phi™ coprocessor and on the Intel® Xeon Phi™ coprocessor OS.
Intel recommends updating to the Intel® MPSS 3.3-1 release for the customers running Intel® MPSS releases 3.1.x-1 and 3.2.x, for all supported versions of the Linux* host OS, including RHEL* 6.0, RHEL* 6.1, RHEL* 6.2, RHEL* 6.3, RHEL* 6.4, RHEL* 6.5, SUSE* 11.1, SUSE* 11.2, SUSE* 11.3. .
Affected customers should download and install Intel® MPSS release 3.3 or later. Instructions on how get and apply the update are available at http://software.intel.com/en-us/articles/intel-manycore-platform-software-stack-mpss
Legal Notices and Disclaimers
Intel provides these materials as-is, with no express or implied warranties.
All products, dates, and figures specified are preliminary based on current expectations, and are subject to change without notice.
Intel, processors, chipsets, and desktop boards may contain design defects or errors known as errata, which may cause the product to deviate from published specifications. Current characterized errata are available on request.
Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more at https://intel.com.
Some results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance.
Intel and the Intel logo are trademarks of Intel Corporation in the United States and other countries.
*Other names and brands may be claimed as the property of others.
Copyright © Intel Corporation 2019
Report a Vulnerability
If you have information about a security issue or vulnerability with an Intel branded product or technology, please send an e-mail to firstname.lastname@example.org. Encrypt sensitive information using our PGP public key.
Please provide as much information as possible, including:
- The products and versions affected
- Detailed description of the vulnerability
- Information on known exploits
A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:
For issues related to Intel's external web presence (Intel.com and related subdomains), please contact Intel's External Security Research team.