Vulnerability Details : CVE-2018-9068
The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier than 4.90 for Lenovo System x and earlier than 6.80 for IBM System x, the credentials to access the SFTP server are hard-coded and described in the IMM2 documentation, allowing an attacker with management network access to obtain the collected FFDC data. After applying the update, the IMM2 will create random SFTP credentials for use with OneCLI.
Products affected by CVE-2018-9068
- cpe:2.3:o:ibm:bladecenter_hs23_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:system_x3530_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:system_x3630_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:system_x3650_m4_hd_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:bladecenter_hs22_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:bladecenter_hs23e_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:flex_system_x220_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:flex_system_x222_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:flex_system_x240_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:flex_system_x280_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:flex_system_x440_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:flex_system_x480_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:flex_system_x880_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:idataplex_dx360_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:idataplex_dx360_m4_water_cooled_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:nextscale_nx360_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:system_x3100_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:system_x3100_m5_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:system_x3250_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:system_x3250_m5_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:system_x3300_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:system_x3500_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:system_x3550_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:system_x3650_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:system_x3650_m4_bd_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:system_x3750_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:system_x3850_x6_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:ibm:system_x3950_x6_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:flex_system_x240_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:flex_system_x240_m5_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:flex_system_x280_x6_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:flex_system_x440_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:flex_system_x480_x6_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:flex_system_x880_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:nextscale_nx360_m5_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:system_x3250_m6_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:system_x3500_m5_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:system_x3550_m5_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:system_x3650_m5_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:system_x3750_m4_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:system_x3850_x6_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:lenovo:system_x3950_x6_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-9068
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-9068
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-9068
-
The product contains hard-coded credentials, such as a password or cryptographic key.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-9068
-
https://support.lenovo.com/us/en/solutions/LEN-20227
Integrated Management Module 2 (IMM2) First Failure Data Capture (FFDC) Information Disclosure - USVendor Advisory
Jump to