Multiple Security Issues with Intel® Manycore Platform Software Stack (Intel® MPSS) release 3.x

Intel ID:  INTEL-SA-00039
Product family:  Intel® Manycore Platform Software Stack
Impact of vulnerability Elevation of Privilege
Severity rating Important
Original release:  Aug 26, 2014
Last revised:  Aug 26, 2014
Summary: 

This Security Bulletin discusses several security vulnerabilities that affect previous versions of Intel® Manycore Platform Software Stack (Intel® MPSS) release 3.x.  Some stem from vulnerabilities in the 3rd-party OpenSSL library, which is built into the coprocessor OS.  Others were discovered during internal testing of the Intel® Manycore Platform Software Stack (Intel® MPSS). Intel’s coprocessors are functioning within specification; this is a software implementation issue.

Description: 

On June 5th 2014, OpenSSL.org published a Security Advisory reporting multiple vulnerabilities in OpenSSL. The majority of these are a new set of vulnerabilities discovered following the "heartbleed" issue. These vulnerabilities, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470 and CVE-2010-5298 affect a wide range of OpenSSL library versions.  Intel® Xeon Phi™ coprocessor OS ships with an open-source OpenSSH component, which statically links a subset of OpenSSL library version 1.0.0.h that contains the above-mentioned vulnerabilities. Intel has followed the recommendation of the OpenSSL Security Advisory and upgraded OpenSSL code to version 1.0.0.m. This issue affects users of Intel® MPSS for both Linux and Windows. For more details see https://www.openssl.org/news/secadv_20140605.txt.

In addition, several undisclosed vulnerabilities were discovered during internal testing, and security enhancements were made to mitigate them.  These vulnerabilities and enhancements are summarized as follows.

  1. An issue was found in the way Intel® MPSS code builds the file system for the coprocessor OS, which could lead to privilege escalation on the coprocessor OS.  
  2. Race conditions were found in file system creation for the coprocessor OS. An malicious attacker could exploit these race conditions, which could potentially lead to privilege escalation on the coprocessor OS. Clusters that enforce a policy of disallowing users to be logged into the host during coprocessor OS boot are not affected by this issue. 
  3. An issue was found in the MIC Control Panel GUI, which could lead to a corruption in the host file system.
  4. An issue was found in the runtime usage of COI that could lead to privilege escalation on the coprocessor OS.
  5. An issue was found in the “micctrl_passwd” command that could lead to privilege escalation on the host OS. This release patches this command – in future releases this command will be deprecated and we recommend the exclusive use of alternative methods to manage user logins, e.g., SSH keys. 

 

Issues 1, 2, 4, 5 affect only users of Intel® MPSS for Linux*, and users of Intel® MPSS for Windows are not affected.  Issue 3 affects users of Intel® MPSS for both Linux and Windows.

“Attacker” in this description means an unprivileged user with valid credentials on both the host that contains Intel® Xeon Phi™ coprocessor and on the Intel® Xeon Phi™ coprocessor OS.

Intel recommends updating to the Intel® MPSS 3.3-1 release for the customers running Intel® MPSS releases 3.1.x-1 and 3.2.x, for all supported versions of the Linux* host OS, including RHEL* 6.0, RHEL* 6.1, RHEL* 6.2, RHEL* 6.3, RHEL* 6.4, RHEL* 6.5, SUSE* 11.1, SUSE* 11.2, SUSE* 11.3. .

 

Affected products: 

Product Name

Latest Intel® MPSS Software Version

Intel® Manycore Platform Software Stack

3.2-x

Intel® Manycore Platform Software Stack

3.1-x

Recommendations: 

Affected customers should download and install Intel® MPSS release 3.3 or later. Instructions on how get and apply the update are available at http://software.intel.com/en-us/articles/intel-manycore-platform-software-stack-mpss

Acknowledgements: 

N/A

Revision history: 

Revision
Date
Description
1.0
26-August-2014
Initial Release


Disclaimer:

INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH INTEL® PRODUCTS. YOUR USE OF THE INFORMATION IN THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. INTEL RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. EXCEPT AS PROVIDED IN INTEL’S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER, AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT.



Reporting a security issue

If you have information about a security issue or vulnerability with an Intel product, please send an e-mail to secure@intel.com. Encrypt sensitive information using our PGP public key.

For issues related to Intel managed open source projects, please visit http://www.01.org/security.

Please provide as much information as possible, including:

  • The products and versions affected
  • Detailed description of the vulnerability
  • Information on known exploits

  • A member of the Intel Product Security Team will review your e-mail and contact you to collaborate on resolving the issue. For more information on how Intel works to resolve security issues, see:

  • Vulnerability handling guidelines

  • Need product support?
    The secure@intel.com e-mail address should only be used for reporting security issues.

    If you...
  • Have questions about the security features of an Intel product
  • Require technical support
  • Want product updates or patches

  • Please visit Support & Downloads.