Lucene search

[email protected]CVE-2017-3768

HistoryJan 26, 2018 - 7:29 p.m.

CVE-2017-3768

2018-01-2619:29:00

CWE-400

[email protected]

web.nvd.nist.gov

cve-2017-3768

denial of service attack

imm2

authentication failures

common information model

cim

lxca

onecli

ibm system x

lenovo system x

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.4%

JSON

An unprivileged attacker with connectivity to the IMM2 could cause a denial of service attack on the IMM2 (Versions earlier than 4.4 for Lenovo System x and earlier than 6.4 for IBM System x). Flooding the IMM2 with a high volume of authentication failures via the Common Information Model (CIM) used by LXCA and OneCLI and other tools can exhaust available system memory which can cause the IMM2 to reboot itself until the requests cease.

Affected configurations

NVD

Node

lenovaflex_system_x240_m5Match-

AND

lenovaflex_system_x240_m5_firmwareRange<4.4

Node

lenovaflex_system_x280_x6Match-

AND

lenovaflex_system_x280_x6_firmwareRange<4.4

Node

lenovaflex_system_x440_m4Match-

AND

lenovaflex_system_x440_m4_firmwareRange<4.4

Node

lenovaflex_system_x480_x6Match-

AND

lenovaflex_system_x480_x6_firmwareRange<4.4

Node

lenovaflex_system_x880Match-

AND

lenovaflex_system_x880_firmwareRange<4.4

Node

lenovanextscale_nx360_m5Match-

AND

lenovanextscale_nx360_m5_firmwareRange<4.4

Node

lenovasystem_x3250_m6Match-

AND

lenovasystem_x3250_m6_firmwareRange<4.4

Node

lenovasystem_x3500_m5Match-

AND

lenovasystem_x3500_m5_firmwareRange<4.4

Node

lenovasystem_x3550_m5_firmwareRange<4.4

AND

lenovasystem_x3550_m5Match-

Node

lenovasystem_x3650_m5_firmwareRange<4.4

AND

lenovasystem_x3650_m5Match-

Node

lenovasystem_x3750_m4_firmwareRange<4.4

AND

lenovasystem_x3750_m4Match-

Node

lenovasystem_x3850_x6_firmwareRange<4.4

AND

lenovasystem_x3850_x6Match-

Node

lenovasystem_x3950_x6_firmwareRange<4.4

AND

lenovasystem_x3950_x6Match-

Node

lenovaflex_system_x240_m4_firmwareRange<4.4

AND

lenovaflex_system_x240_m4Match-

Node

ibmbladecenter_hs22_firmwareRange<6.4

AND

ibmbladecenter_hs22Match-

Node

ibmbladecenter_hs23_firmwareRange<6.4

AND

ibmbladecenter_hs23Match-

Node

ibmbladecenter_hs23e_firmwareRange<6.4

AND

ibmbladecenter_hs23eMatch-

Node

ibmflex_system_x220_m4_firmwareRange<6.4

AND

ibmflex_system_x220_m4Match-

Node

ibmflex_system_x222_m4_firmwareRange<6.4

AND

ibmflex_system_x222_m4Match-

Node

ibmflex_system_x240_m4_firmwareRange<6.4

AND

ibmflex_system_x240_m4Match-

Node

ibmflex_system_x280_m4_firmwareRange<6.4

AND

ibmflex_system_x280_m4Match-

Node

ibmflex_system_x440_m4_firmwareRange<6.4

AND

ibmflex_system_x440_m4Match-

Node

ibmflex_system_x480_m4_firmwareRange<6.4

AND

ibmflex_system_x480_m4Match-

Node

ibmflex_system_x880_m4_firmwareRange<6.4

AND

ibmflex_system_x880_m4Match-

Node

ibmidataplex_dx360_m4_firmwareRange<6.4

AND

ibmidataplex_dx360_m4Match-

Node

ibmidataplex_dx360_m4_water_cooled_firmwareRange<6.4

AND

ibmidataplex_dx360_m4_water_cooledMatch-

Node

ibmnextscale_nx360_m4_firmwareRange<6.4

AND

ibmnextscale_nx360_m4Match-

Node

ibmsystem_x3100_m4_firmwareRange<6.4

AND

ibmsystem_x3100_m4Match-

Node

ibmsystem_x3100_m5_firmwareRange<6.4

AND

ibmsystem_x3100_m5Match-

Node

ibmsystem_x3250_m4_firmwareRange<6.4

AND

ibmsystem_x3250_m4Match-

Node

ibmsystem_x3250_m5_firmwareRange<6.4

AND

ibmsystem_x3250_m5Match-

Node

ibmsystem_x3300_m4_firmwareRange<6.4

AND

ibmsystem_x3300_m4Match-

Node

ibmsystem_x3500_m4_firmwareRange<6.4

AND

ibmsystem_x3500_m4Match-

Node

ibmsystem_x3530_m4_firmwareRange<6.4

AND

ibmsystem_x3530_m4Match-

Node

ibmsystem_x3550_m4_firmwareRange<6.4

AND

ibmsystem_x3550_m4Match-

Node

ibmsystem_x3630_m4_firmwareRange<6.4

AND

ibmsystem_x3630_m4Match-

Node

ibmsystem_x3650_m4_firmwareRange<6.4

AND

ibmsystem_x3650_m4Match-

Node

ibmsystem_x3650_m4_bd_firmwareRange<6.4

AND

ibmsystem_x3650_m4_bdMatch-

Node

ibmsystem_x3750_m4_firmwareRange<6.4

AND

ibmsystem_x3750_m4Match-

Node

ibmsystem_x3850_x6_firmwareRange<6.4

AND

ibmsystem_x3850_x6Match-

Node

ibmsystem_x3950_x6_firmwareRange<6.4

AND

ibmsystem_x3950_x6Match-

Node

ibmsystem_x3650_m4_hd_firmwareRange<6.4

AND

ibmsystem_x3650_m4_hdMatch-

CPENameOperatorVersion
lenova:flex_system_x240_m5_firmwarelenova flex system x240 m5 firmwarelt4.4

CPE	Name	Operator	Version
lenova:flex_system_x240_m5_firmware	lenova flex system x240 m5 firmware	lt	4.4

CNA Affected

[
  {
    "product": "Integrated Management Module 2 (IMM2)",
    "vendor": "Lenovo Group Ltd.",
    "versions": [
      {
        "status": "affected",
        "version": "Earlier than 4.4 for Lenovo System x"
      },
      {
        "status": "affected",
        "version": "Earlier than 6.4 for IBM System x"
      }
    ]
  }
]

References

support.lenovo.com/us/en/product_security/LEN-14450

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.4%

JSON

Related for CVE-2017-3768

prion1 nvd1 lenovo2 ibm1 cvelist1