CERTVU:597809IBM ServeRAID Manager exposes unauthenticated Java Remote Method Invocation (RMI) service
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.459 Medium
EPSS
Percentile
97.4%
Overview
IBM ServeRAID Manager version 9.30-17006 and prior exposes a Java RMI that allows a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
IBM ServeRAID Manager includes an embedded instance of Java version 1.4.2. Both ServeRAID Manager and Java 1.4.2 are no longer supported. ServeRAID Manager uses a Java Remote Method Invocation (RMI) on port 34571/tcp that listens on all interfaces by default. ServeRAID Manager runs with SYSTEM privileges on Microsoft Windows systems. An unauthenticated attacker with network access can exploit the vulnerable RMI interface to launch a remote class loader attack. This appears to be an instance of CVE-2011-3556.
The ServeRAID product name is used for hardware and software components variously owned and maintained by IBM, Lenovo, and other vendors. This vulnerability applies to IBM ServeRAID Manager software and no products or components from Lenovo or any other vendor.
Impact
An unauthenticated remote attacker can execute arbitrary code on a vulnerable system, with SYSTEM privileges on Microsoft Windows.
Solution
ServeRAID Manager is no longer supported and we do not expect IBM to release fixes.
Restrict access
Configure ServeRAID Manager to listen on specific network interfaces (like localhost) or use a host-based firewall to restrict network access to 34571/tcp.
Vendor Information
597809
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
IBM Corporation __ Affected
Notified: November 07, 2019 Updated: February 11, 2020
Statement Date: July 26, 2019
Status
Affected
Vendor Statement
The product team has reviewed further and determined this is unsupported software with no plans to fix. We will be removing it from the web to avoid future confusion.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Lenovo __ Not Affected
Notified: June 06, 2019 Updated: February 11, 2020
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Addendum
Lenovo was never responsible for the IBM ServeRAID Manager software.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23597809 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 9.5 | E:F/RL:U/RC:C |
| Environmental | 2.4 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
- <https://www.ibm.com/support/pages/ibm-serveraid-application-cd-v930-17006-ibm-system-x-and-bladecenter>
- <https://www.ibm.com/support/pages/node/827256>
- <https://www.oracle.com/technetwork/java/javase/index-jsp-138567.html>
Acknowledgements
Thanks to Brendan Saulsbury, Ariel Montano Cardenas, Lavelle Perry, and Swagat Das for reporting this vulnerability.
This document was written by Laurie Tyzenhaus.
Other Information
| CVE IDs: | CVE-2011-3556 |
|---|---|
| Date Public: | 2020-02-12 Date First Published: |
Related
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.459 Medium
EPSS
Percentile
97.4%