CVE-2018-9068

Severity CVSS v4.0:

Pending analysis

Type:

CWE-798 Use of Hard-coded Credentials

Publication date:

26/07/2018

Last modified:

28/09/2018

Description

The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier than 4.90 for Lenovo System x and earlier than 6.80 for IBM System x, the credentials to access the SFTP server are hard-coded and described in the IMM2 documentation, allowing an attacker with management network access to obtain the collected FFDC data. After applying the update, the IMM2 will create random SFTP credentials for use with OneCLI.

Impact

Vector 3.x

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS v3.1 Severity and Metrics:

Base Score: 7.50 HIGH
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): High
Integrity (I): None
Availability (A): None

Base Score 3.x

7.50

Severity 3.x

HIGH

Vector 2.0

AV:N/AC:L/Au:N/C:P/I:N/A:N CVSS v2.0 Severity and Metrics:

Base Score: 5.00 MEDIUM
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Authentication (Au): None
Confidentiality (C): Physical
Integrity (I): None
Availability (A): None

Base Score 2.0

5.00

Severity 2.0

MEDIUM

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:o:lenovo:flex_system_x240_m4_firmware::::::::		4.90 (excluding)
cpe:2.3:h:lenovo:flex_system_x240_m4:-:::::::*
cpe:2.3:o:lenovo:flex_system_x240_m5_firmware::::::::		4.90 (excluding)
cpe:2.3:h:lenovo:flex_system_x240_m5:-:::::::*
cpe:2.3:o:lenovo:flex_system_x280_x6_firmware::::::::		4.90 (excluding)
cpe:2.3:h:lenovo:flex_system_x280_x6:-:::::::*
cpe:2.3:o:lenovo:flex_system_x440_m4_firmware::::::::		4.90 (excluding)
cpe:2.3:h:lenovo:flex_system_x440_m4:-:::::::*
cpe:2.3:o:lenovo:flex_system_x480_x6_firmware::::::::		4.90 (excluding)
cpe:2.3:h:lenovo:flex_system_x480_x6:-:::::::*
cpe:2.3:o:lenovo:flex_system_x880_firmware::::::::		4.90 (excluding)
cpe:2.3:h:lenovo:flex_system_x880:-:::::::*
cpe:2.3:o:lenovo:nextscale_nx360_m5_firmware::::::::		4.90 (excluding)
cpe:2.3:h:lenovo:nextscale_nx360_m5:-:::::::*
cpe:2.3:o:lenovo:system_x3250_m6_firmware::::::::		4.90 (excluding)

To consult the complete list of CPE names with products and versions, see this page

References to Advisories, Solutions, and Tools

https://support.lenovo.com/us/en/solutions/LEN-20227

CPE	From	Up to
cpe:2.3:o:lenovo:flex_system_x240_m4_firmware::::::::		4.90 (excluding)
cpe:2.3:h:lenovo:flex_system_x240_m4:-:::::::*
cpe:2.3:o:lenovo:flex_system_x240_m5_firmware::::::::		4.90 (excluding)
cpe:2.3:h:lenovo:flex_system_x240_m5:-:::::::*
cpe:2.3:o:lenovo:flex_system_x280_x6_firmware::::::::		4.90 (excluding)
cpe:2.3:h:lenovo:flex_system_x280_x6:-:::::::*
cpe:2.3:o:lenovo:flex_system_x440_m4_firmware::::::::		4.90 (excluding)
cpe:2.3:h:lenovo:flex_system_x440_m4:-:::::::*
cpe:2.3:o:lenovo:flex_system_x480_x6_firmware::::::::		4.90 (excluding)
cpe:2.3:h:lenovo:flex_system_x480_x6:-:::::::*
cpe:2.3:o:lenovo:flex_system_x880_firmware::::::::		4.90 (excluding)
cpe:2.3:h:lenovo:flex_system_x880:-:::::::*
cpe:2.3:o:lenovo:nextscale_nx360_m5_firmware::::::::		4.90 (excluding)
cpe:2.3:h:lenovo:nextscale_nx360_m5:-:::::::*
cpe:2.3:o:lenovo:system_x3250_m6_firmware::::::::		4.90 (excluding)