CVE-2019-4169 : IBM Open Power Firmware OP910 and OP920 could allow access to BMC via IPMI using

IBM Open Power Firmware OP910 and OP920 could allow access to BMC via IPMI using default OpenBMC password even after BMC password was changed away from the default password. IBM X-Force ID: 158702.

Published 2019-08-26 15:15:13

Updated 2022-12-09 19:24:17

Source IBM Corporation

View at NVD, CVE.org

Products affected by CVE-2019-4169

IBM » Open Power » Version: Op910
cpe:2.3:o:ibm:open_power:op910:*:*:*:*:*:*:*
Matching versions
When used together with: IBM » Power System 8335-gth » Version: N/A
When used together with: IBM » Power System 8335-gtx » Version: N/A
IBM » Open Power » Version: Op920
cpe:2.3:o:ibm:open_power:op920:*:*:*:*:*:*:*
Matching versions
When used together with: IBM » Power System 8335-gtc » Version: N/A
When used together with: IBM » Power System 8335-gtg » Version: N/A
When used together with: IBM » Power System 8335-gtw » Version: N/A

Exploit prediction scoring system (EPSS) score for CVE-2019-4169

EPSS FAQ

0.27%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 47 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-4169

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.4	MEDIUM	AV:N/AC:L/Au:N/C:P/I:P/A:N	10.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: None
8.1	HIGH	CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N	2.8	5.2	IBM Corporation
Attack Vector: Adjacent Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None
9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N	3.9	5.2	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: None

CWE ids for CVE-2019-4169

CWE-1188 Initialization of a Resource with an Insecure Default

The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2019-4169

http://www.ibm.com/support/docview.wss?uid=ibm10881209

IBM Security Bulletin: This Power System update is being released to address CVE-2019-4169
Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/158702

IBM Open Power Firmware information disclosure CVE-2019-4169 Vulnerability Report
VDB Entry;Vendor Advisory

Jump to

Vulnerability Details : CVE-2019-4169

Products affected by CVE-2019-4169

Exploit prediction scoring system (EPSS) score for CVE-2019-4169

CVSS scores for CVE-2019-4169

CWE ids for CVE-2019-4169

References for CVE-2019-4169