Summary:
This Security Bulletin discusses several security vulnerabilities that affect previous versions of Intel® Manycore Platform Software Stack (Intel® MPSS) release 3.x. Some stem from vulnerabilities in the 3rd-party OpenSSL library, which is built into the coprocessor OS. Others were discovered during internal testing of the Intel® Manycore Platform Software Stack (Intel® MPSS). Intel’s coprocessors are functioning within specification; this is a software implementation issue.
Description:
On June 5th 2014, OpenSSL.org published a Security Advisory reporting multiple vulnerabilities in OpenSSL. The majority of these are a new set of vulnerabilities discovered following the “heartbleed” issue. These vulnerabilities, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470 and CVE-2010-5298 affect a wide range of OpenSSL library versions. Intel® Xeon Phi™ coprocessor OS ships with an open-source OpenSSH component, which statically links a subset of OpenSSL library version 1.0.0.h that contains the above-mentioned vulnerabilities. Intel has followed the recommendation of the OpenSSL Security Advisory and upgraded OpenSSL code to version 1.0.0.m. This issue affects users of Intel® MPSS for both Linux and Windows*. For more details see <https://www.openssl.org/news/secadv_20140605.txt>.
In addition, several undisclosed vulnerabilities were discovered during internal testing, and security enhancements were made to mitigate them. These vulnerabilities and enhancements are summarized as follows.
Issues 1, 2, 4, 5 affect only users of Intel® MPSS for Linux*, and users of Intel® MPSS for Windows* are not affected. Issue 3 affects users of Intel® MPSS for both Linux and Windows*.
“Attacker” in this description means an unprivileged user with valid credentials on both the host that contains Intel® Xeon Phi™ coprocessor and on the Intel® Xeon Phi™ coprocessor OS.
Intel recommends updating to the Intel® MPSS 3.3-1 release for the customers running Intel® MPSS releases 3.1.x-1 and 3.2.x, for all supported versions of the Linux* host OS, including RHEL* 6.0, RHEL* 6.1, RHEL* 6.2, RHEL* 6.3, RHEL* 6.4, RHEL* 6.5, SUSE* 11.1, SUSE* 11.2, SUSE* 11.3. .