Remote Command Logging Vulnerability in Lenovo System x Servers
CVE-2017-3744

6.5MEDIUM

Key Information:

Vendor: Lenovo
Status: Lenovo System X Imm2
Vendor: CVE Published:; 20 June 2017

Summary

The IMM2 firmware in Lenovo System x servers contains a vulnerability that allows remote commands initiated by tools such as LXCA to be logged in the First Failure Data Capture (FFDC) service logs. If the FFDC log is generated while the command is executing, it may inadvertently capture sensitive information, including clear text login credentials. This access to exported FFDC logs can pose significant risks for authorized users, who may gain unauthorized visibility into remote command data.

Affected Version(s)

Lenovo System x IMM2 Lenovo System x IMM2 firmware versions earlier than 4.10 and IBM System x IMM2 firmware versions earlier than 6.20

References

https://support.lenovo.com/product_security/LEN-14054

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 20, 2017
Vulnerability Reserved
Dec 16, 2016