This Security Bulletin discusses several security vulnerabilities that affect previous versions of Intel® Manycore Platform Software Stack (Intel® MPSS) release 3.x. Some stem from vulnerabilities in the 3rd-party OpenSSL library, which is built into the coprocessor OS. Others were discovered during internal testing of the Intel® Manycore Platform Software Stack (Intel® MPSS). Intel’s coprocessors are functioning within specification; this is a software implementation issue.
On June 5th 2014, OpenSSL.org published a Security Advisory reporting multiple vulnerabilities in OpenSSL. The majority of these are a new set of vulnerabilities discovered following the "heartbleed" issue. These vulnerabilities, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470 and CVE-2010-5298 affect a wide range of OpenSSL library versions. Intel® Xeon Phi™ coprocessor OS ships with an open-source OpenSSH component, which statically links a subset of OpenSSL library version 1.0.0.h that contains the above-mentioned vulnerabilities. Intel has followed the recommendation of the OpenSSL Security Advisory and upgraded OpenSSL code to version 1.0.0.m. This issue affects users of Intel® MPSS for both Linux and Windows*. For more details see https://www.openssl.org/news/secadv_20140605.txt.
In addition, several undisclosed vulnerabilities were discovered during internal testing, and security enhancements were made to mitigate them. These vulnerabilities and enhancements are summarized as follows.
- An issue was found in the way Intel® MPSS code builds the file system for the coprocessor OS, which could lead to privilege escalation on the coprocessor OS.
- Race conditions were found in file system creation for the coprocessor OS. An malicious attacker could exploit these race conditions, which could potentially lead to privilege escalation on the coprocessor OS. Clusters that enforce a policy of disallowing users to be logged into the host during coprocessor OS boot are not affected by this issue.
- An issue was found in the MIC Control Panel GUI, which could lead to a corruption in the host file system.
- An issue was found in the runtime usage of COI that could lead to privilege escalation on the coprocessor OS.
- An issue was found in the “micctrl_passwd” command that could lead to privilege escalation on the host OS. This release patches this command – in future releases this command will be deprecated and we recommend the exclusive use of alternative methods to manage user logins, e.g., SSH keys.
Issues 1, 2, 4, 5 affect only users of Intel® MPSS for Linux*, and users of Intel® MPSS for Windows* are not affected. Issue 3 affects users of Intel® MPSS for both Linux and Windows*.
“Attacker” in this description means an unprivileged user with valid credentials on both the host that contains Intel® Xeon Phi™ coprocessor and on the Intel® Xeon Phi™ coprocessor OS.
Intel recommends updating to the Intel® MPSS 3.3-1 release for the customers running Intel® MPSS releases 3.1.x-1 and 3.2.x, for all supported versions of the Linux* host OS, including RHEL* 6.0, RHEL* 6.1, RHEL* 6.2, RHEL* 6.3, RHEL* 6.4, RHEL* 6.5, SUSE* 11.1, SUSE* 11.2, SUSE* 11.3. .