Sign-up

ID

VAR-201807-1683


CVE

CVE-2018-9068


TITLE

IMM2 Vulnerabilities related to the use of hard-coded credentials

Trust: 0.8

sources: JVNDB: JVNDB-2018-008739

DESCRIPTION

The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier than 4.90 for Lenovo System x and earlier than 6.80 for IBM System x, the credentials to access the SFTP server are hard-coded and described in the IMM2 documentation, allowing an attacker with management network access to obtain the collected FFDC data. After applying the update, the IMM2 will create random SFTP credentials for use with OneCLI. IMM2 Contains a vulnerability in the use of hard-coded credentials.Information may be obtained

Trust: 1.62

sources: NVD: CVE-2018-9068 // JVNDB: JVNDB-2018-008739

AFFECTED PRODUCTS

vendor:lenovomodel:flex system x880scope:ltversion:4.90

Trust: 1.0

vendor:lenovomodel:system x3250 m6scope:ltversion:4.90

Trust: 1.0

vendor:ibmmodel:system x3500 m4scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:bladecenter hs22scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:system x3300 m4scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:system x3650 m4scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:system x3250 m5scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:flex system x222 m4scope:ltversion:6.80

Trust: 1.0

vendor:lenovomodel:flex system x240 m5scope:ltversion:4.90

Trust: 1.0

vendor:ibmmodel:flex system x220 m4scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:system x3650 m4 bdscope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:idataplex dx360 m4 water cooledscope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:system x3550 m4scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:nextscale nx360 m4scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:system x3530 m4scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:system x3950 x6scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:bladecenter hs23scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:system x3650 m4 hdscope:ltversion:6.80

Trust: 1.0

vendor:lenovomodel:system x3500 m5scope:ltversion:4.90

Trust: 1.0

vendor:ibmmodel:flex system x240 m4scope:ltversion:6.80

Trust: 1.0

vendor:lenovomodel:system x3950 x6scope:ltversion:4.90

Trust: 1.0

vendor:ibmmodel:flex system x880 m4scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:flex system x440 m4scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:system x3630 m4scope:ltversion:6.80

Trust: 1.0

vendor:lenovomodel:system x3650 m5scope:ltversion:4.90

Trust: 1.0

vendor:ibmmodel:system x3250 m4scope:ltversion:6.80

Trust: 1.0

vendor:lenovomodel:system x3550 m5scope:ltversion:4.90

Trust: 1.0

vendor:ibmmodel:flex system x480 m4scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:idataplex dx360 m4scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:system x3100 m4scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:system x3750 m4scope:ltversion:6.80

Trust: 1.0

vendor:lenovomodel:flex system x240 m4scope:ltversion:4.90

Trust: 1.0

vendor:ibmmodel:system x3100 m5scope:ltversion:6.80

Trust: 1.0

vendor:lenovomodel:flex system x480 x6scope:ltversion:4.90

Trust: 1.0

vendor:lenovomodel:nextscale nx360 m5scope:ltversion:4.90

Trust: 1.0

vendor:lenovomodel:flex system x440 m4scope:ltversion:4.90

Trust: 1.0

vendor:lenovomodel:flex system x280 x6scope:ltversion:4.90

Trust: 1.0

vendor:ibmmodel:flex system x280 m4scope:ltversion:6.80

Trust: 1.0

vendor:lenovomodel:system x3850 x6scope:ltversion:4.90

Trust: 1.0

vendor:ibmmodel:bladecenter hs23escope:ltversion:6.80

Trust: 1.0

vendor:lenovomodel:system x3750 m4scope:ltversion:4.90

Trust: 1.0

vendor:ibmmodel:system x3850 x6scope:ltversion:6.80

Trust: 1.0

vendor:ibmmodel:integrated management modulescope: - version: -

Trust: 0.8

vendor:lenovomodel:integrated management modulescope: - version: -

Trust: 0.8

sources: JVNDB: JVNDB-2018-008739 // NVD: CVE-2018-9068

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2018-9068
value: HIGH

Trust: 1.0

NVD: CVE-2018-9068
value: HIGH

Trust: 0.8

CNNVD: CNNVD-201807-1885
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2018-9068
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

nvd@nist.gov: CVE-2018-9068
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.8

sources: JVNDB: JVNDB-2018-008739 // CNNVD: CNNVD-201807-1885 // NVD: CVE-2018-9068

PROBLEMTYPE DATA

problemtype:CWE-798

Trust: 1.8

sources: JVNDB: JVNDB-2018-008739 // NVD: CVE-2018-9068

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201807-1885

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-201807-1885

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2018-008739

PATCH
title:LEN-20227url:https://support.lenovo.com/us/en/solutions/LEN-20227
Trust: 0.8
title:Lenovo System x  and IBM System x Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=82630
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-008739 // 
            
            
            
            CNNVD: CNNVD-201807-1885

EXTERNAL IDS
db:NVDid:CVE-2018-9068
Trust: 2.4
db:LENOVOid:LEN-20227
Trust: 1.6
db:JVNDBid:JVNDB-2018-008739
Trust: 0.8
db:CNNVDid:CNNVD-201807-1885
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2018-008739 // 
            
            
            
            CNNVD: CNNVD-201807-1885 // 
            
            
            
            NVD: CVE-2018-9068

REFERENCES
url:https://support.lenovo.com/us/en/solutions/len-20227
Trust: 1.6
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-9068
Trust: 0.8
url:https://nvd.nist.gov/vuln/detail/cve-2018-9068
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2018-008739 // 
            
            
            
            CNNVD: CNNVD-201807-1885 // 
            
            
            
            NVD: CVE-2018-9068

SOURCES
db:JVNDBid:JVNDB-2018-008739
db:CNNVDid:CNNVD-201807-1885
db:NVDid:CVE-2018-9068

LAST UPDATE DATE
2024-11-23T22:48:40.110000+00:00

SOURCES UPDATE DATE
db:JVNDBid:JVNDB-2018-008739date:2018-10-26T00:00:00
db:CNNVDid:CNNVD-201807-1885date:2018-07-27T00:00:00
db:NVDid:CVE-2018-9068date:2024-11-21T04:14:54.413

SOURCES RELEASE DATE
db:JVNDBid:JVNDB-2018-008739date:2018-10-26T00:00:00
db:CNNVDid:CNNVD-201807-1885date:2018-07-27T00:00:00
db:NVDid:CVE-2018-9068date:2018-07-26T19:29:00.487