PT-2018-18829 · Lenovo+1 · Lenovo System X+1
Published
2018-07-26
·
Updated
2018-09-28
·
CVE-2018-9068
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Lenovo System x versions prior to 4.90
IBM System x versions prior to 6.80
Description
The issue concerns the IMM2 First Failure Data Capture function, which collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server. In affected versions, the credentials to access the SFTP server are hard-coded, allowing an attacker with management network access to obtain the collected data.
Recommendations
For Lenovo System x versions prior to 4.90, update to version 4.90 or later to generate random SFTP credentials.
For IBM System x versions prior to 6.80, update to version 6.80 or later to generate random SFTP credentials.
Fix
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ibm System X
Lenovo System X