SFTP Server Credential Exposure in Lenovo and IBM Management Systems
CVE-2018-9068

7.5HIGH

Key Information:

Vendor: Lenovo
Status: System X Imm2
Vendor: CVE Published:; 26 July 2018

Summary

The IMM2 Management Module's First Failure Data Capture (FFDC) function is designed to log hardware errors and provide diagnostic information. In certain older versions, the SFTP server credentials for downloading this sensitive data are hard-coded and publicly documented, making them vulnerable to exploitation. Any attacker with access to the management network can gain unauthorized access to this data, risking system integrity and security.

Affected Version(s)

System x IMM2 firmware versions earlier than 4.90

System x IMM2 firmware versions earlier than 6.80

References

https://support.lenovo.com/us/en/solutions/LEN-20227

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 26, 2018
Vulnerability Reserved
Mar 27, 2018