Intel takes security issues seriously. If you believe you have observed a security issue with any supported Intel® Manycore Platform Software Stack (Intel® MPSS) software, please check below to see if your security issue has already been addressed. If the issue you observed has not already been identified, please report the issue using the Intel Premier issue reporting tool at https://premier.intel.com.
Details on submitting issues are as follows:
- Go to https://premier.intel.com/
- Log in to the site. Your username and password are case-sensitive.
- Select "Submit Issues" on the left navigation bar.
- Select "Development Environment (tools, SDV, EAP)" from the "Product Type" drop-down list.
- Select the "Intel® MPSS for Linux*" Product Name.
- Complete the fields in the windows that follow to report the issue. Set the ticket title to "POTENTIAL SECURITY VULNERABILITY"
If you don't have an Intel Premier account, please contact Intel at https://security-center.intel.com/default.aspxto report the potential security issue.
When reporting the issue, please provide as much detail as possible, including the host operating system where the Intel® MPSS is installed, the version number of the Intel® MPSS, and detailed steps to invoke the security exploit. Please provide any source code used to invoke the exploit as well.
Reproducible security issues are treated as Critical and investigated with high priority. Critical security issues are typically resolved via a 'hotfix' to the most current release of the Intel® MPSS. Issues that are resolved are reported in the release_notes.txt for that particular version of the Intel® MPSS. We encourage you to monitor the forums or subscribe to the Intel® Manycore Platform Software Stack distribution page (http://software.intel.com/en-us/articles/intel-manycore-platform-software-stack-mpss) to be notified of new releases when they are made available.
Below is a list of all security issues that have been identified and addressed with the Intel® Manycore Platform Software Stack (Intel® MPSS) software:
March 2014: Micctrl may copy files through hard links, Vulnerability in Linux kernel.org, CVE-2013-2929. For more information, please click here.
1. While building the file system for the coprocessor OS, a privilege escalation could occur on the coprocessor OS
2. Use of Control Panel GUI could lead to a corruption in the host file system
3. Use of micctrl_passwd command could lead to a privilege escalation on the host OS. This release patches this command – in future releases this command will be deprecated and we recommend the exclusive use of alternative methods to manage user logins, e.g., SSH keys
4. Upgraded OpenSSL* code to version 1.0.0.m (from 1.0.0.h) due to multiple vulnerabilities in OpenSSL* as reported by OpenSSL.org
5. Runtime usage of COI could lead to a privilege escalation on the coprocessor OS
6. File system creation for the coprocessor OS could lead to a privilege escalation on the coprocessor OS. Clusters that enforce a policy of disallowing users to be logged into the host during coprocessor OS boot are not affected by this issue
For more information, please click here.
1. An Intel(R) MPSS race condition which could provide root privileges to the card.
2. OpenSSL* code upgraded to version 1.0.0.r due to multiple vulnerabilities in OpenSSL* as reported by OpenSSL.org.