Privilege Escalation in IBM Power9 Self Boot Engine
CVE-2021-20487

8HIGH

Key Information:

Vendor: IBM
Status: Power 9 Systems
Vendor: CVE Published:; 26 May 2021

What is CVE-2021-20487?

The IBM Power9 Self Boot Engine (SBE) vulnerability enables a privileged user to inject malicious code, compromising the integrity of the host firmware. This occurs through a bypass of the firmware signature verification process, presenting significant risks to system security. Organizations using IBM Power9 products should investigate and address this vulnerability to maintain secure operational environments.

Affected Version(s)

Power 9 Systems FW930

Power 9 Systems FW940

Power 9 Systems FW941

References

https://www.ibm.com/support/pages/node/6455911

x_refsource_CONFIRM

https://exchange.xforce.ibmcloud.com/vulnerabilities/197730

vdb-entryx_refsource_XF

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2021
Vulnerability Reserved
Dec 17, 2020