Sign-up

ID

VAR-201706-0355


CVE

CVE-2017-3744


TITLE

Lenovo System x Server IMM2 Firmware command injection vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2017-005197

DESCRIPTION

In the IMM2 firmware of Lenovo System x servers, remote commands issued by LXCA or other utilities may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated when that remote command is running. Captured command data may contain clear text login information. Authorized users that can capture and export FFDC service log data may have access to these remote commands. Lenovo System x Server IMM2 The firmware contains a command injection vulnerability.Information may be obtained. LenovoSystemxIMM2 is the firmware used by Lenovo servers to provide remote monitoring and control of the server. A security vulnerability exists in LenovoSystemxIMM2 that could allow an attacker to exploit a vulnerability to obtain a login certificate. Lenovo System x is a server of China Lenovo (Lenovo)

Trust: 2.25

sources: NVD: CVE-2017-3744 // JVNDB: JVNDB-2017-005197 // CNVD: CNVD-2017-13250 // VULHUB: VHN-111947

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2017-13250

AFFECTED PRODUCTS

vendor:ibmmodel:integrated management modulescope:lteversion:6.19

Trust: 1.0

vendor:lenovomodel:integrated management modulescope:lteversion:4.9

Trust: 1.0

vendor:ibmmodel:integrated management modulescope: - version: -

Trust: 0.8

vendor:lenovomodel:integrated management modulescope: - version: -

Trust: 0.8

vendor:lenovomodel:flex system m4scope:eqversion:x240<=4.10

Trust: 0.6

vendor:ibmmodel:integrated management modulescope:eqversion:6.19

Trust: 0.6

sources: CNVD: CNVD-2017-13250 // JVNDB: JVNDB-2017-005197 // CNNVD: CNNVD-201706-791 // NVD: CVE-2017-3744

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2017-3744
value: MEDIUM

Trust: 1.0

NVD: CVE-2017-3744
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2017-13250
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201706-791
value: MEDIUM

Trust: 0.6

VULHUB: VHN-111947
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2017-3744
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2017-13250
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

VULHUB: VHN-111947
severity: MEDIUM
baseScore: 4.0
vectorString: AV:N/AC:L/AU:S/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2017-3744
baseSeverity: MEDIUM
baseScore: 6.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.8
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: CNVD: CNVD-2017-13250 // VULHUB: VHN-111947 // JVNDB: JVNDB-2017-005197 // CNNVD: CNNVD-201706-791 // NVD: CVE-2017-3744

PROBLEMTYPE DATA

problemtype:CWE-532

Trust: 1.1

problemtype:CWE-77

Trust: 0.9

sources: VULHUB: VHN-111947 // JVNDB: JVNDB-2017-005197 // NVD: CVE-2017-3744

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201706-791

TYPE

log information leak

Trust: 0.6

sources: CNNVD: CNNVD-201706-791

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2017-005197

PATCH
title:LEN-14054url:https://support.lenovo.com/jp/ja/product_security/len-14054
Trust: 0.8
title:LenovoSystemxIMM2 firmware certificate to obtain a patch for the vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/97553
Trust: 0.6
title:Lenovo System x IMM2 Fixes for firmware security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=71253
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-13250 // 
            
            
            
            JVNDB: JVNDB-2017-005197 // 
            
            
            
            CNNVD: CNNVD-201706-791

EXTERNAL IDS
db:NVDid:CVE-2017-3744
Trust: 3.1
db:LENOVOid:LEN-14054
Trust: 2.3
db:JVNDBid:JVNDB-2017-005197
Trust: 0.8
db:CNNVDid:CNNVD-201706-791
Trust: 0.7
db:CNVDid:CNVD-2017-13250
Trust: 0.6
db:VULHUBid:VHN-111947
Trust: 0.1
sources:
            
            
            CNVD: CNVD-2017-13250 // 
            
            
            
            VULHUB: VHN-111947 // 
            
            
            
            JVNDB: JVNDB-2017-005197 // 
            
            
            
            CNNVD: CNNVD-201706-791 // 
            
            
            
            NVD: CVE-2017-3744

REFERENCES
url:https://support.lenovo.com/product_security/len-14054
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-3744
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2017-3744
Trust: 0.8
url:https://support.lenovo.com/us/zh/product_security/len-14054
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2017-13250 // 
            
            
            
            VULHUB: VHN-111947 // 
            
            
            
            JVNDB: JVNDB-2017-005197 // 
            
            
            
            CNNVD: CNNVD-201706-791 // 
            
            
            
            NVD: CVE-2017-3744

SOURCES
db:CNVDid:CNVD-2017-13250
db:VULHUBid:VHN-111947
db:JVNDBid:JVNDB-2017-005197
db:CNNVDid:CNNVD-201706-791
db:NVDid:CVE-2017-3744

LAST UPDATE DATE
2024-11-23T22:45:39.192000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2017-13250date:2017-07-07T00:00:00
db:VULHUBid:VHN-111947date:2019-10-03T00:00:00
db:JVNDBid:JVNDB-2017-005197date:2017-07-20T00:00:00
db:CNNVDid:CNNVD-201706-791date:2019-10-23T00:00:00
db:NVDid:CVE-2017-3744date:2024-11-21T03:26:03.203

SOURCES RELEASE DATE
db:CNVDid:CNVD-2017-13250date:2017-07-07T00:00:00
db:VULHUBid:VHN-111947date:2017-06-20T00:00:00
db:JVNDBid:JVNDB-2017-005197date:2017-07-20T00:00:00
db:CNNVDid:CNNVD-201706-791date:2017-06-29T00:00:00
db:NVDid:CVE-2017-3744date:2017-06-20T00:29:00.330