Lucene search

LenovoCVE-2018-9083

HistoryNov 27, 2018 - 2:29 p.m.

CVE-2018-9083

2018-11-2714:29:00

CWE-798

lenovo

web.nvd.nist.gov

cve-2018-9083

system management module

smm

weak credentials

ssh

telnet

vulnerability

nvd

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.9

Confidence

High

EPSS

0.002

Percentile

60.7%

JSON

In System Management Module (SMM) versions prior to 1.06, the SMM contains weak default root credentials which could be used to log in to the device OS – if the attacker manages to enable SSH or Telnet connections via some other vulnerability.

Affected configurations

Nvd

Node

lenovosystem_management_module_firmwareRange<1.06

AND

lenovothinkagile_hx_enclosure_7x81Match-

lenovothinkagile_hx_enclosure_7y87Match-

lenovothinkagile_hx_enclosure_7z02Match-

lenovothinkagile_vx_enclosure_7y11Match-

lenovothinkagile_vx_enclosure_7y91Match-

lenovothinksystem_d2_enclosure_7x20Match-

lenovothinksystem_modular_enclosure_7x22Match-

VendorProductVersionCPE
lenovosystem_management_module_firmware*cpe:2.3:o:lenovo:system_management_module_firmware:*:*:*:*:*:*:*:*
lenovothinkagile_hx_enclosure_7x81-cpe:2.3:h:lenovo:thinkagile_hx_enclosure_7x81:-:*:*:*:*:*:*:*
lenovothinkagile_hx_enclosure_7y87-cpe:2.3:h:lenovo:thinkagile_hx_enclosure_7y87:-:*:*:*:*:*:*:*
lenovothinkagile_hx_enclosure_7z02-cpe:2.3:h:lenovo:thinkagile_hx_enclosure_7z02:-:*:*:*:*:*:*:*
lenovothinkagile_vx_enclosure_7y11-cpe:2.3:h:lenovo:thinkagile_vx_enclosure_7y11:-:*:*:*:*:*:*:*
lenovothinkagile_vx_enclosure_7y91-cpe:2.3:h:lenovo:thinkagile_vx_enclosure_7y91:-:*:*:*:*:*:*:*
lenovothinksystem_d2_enclosure_7x20-cpe:2.3:h:lenovo:thinksystem_d2_enclosure_7x20:-:*:*:*:*:*:*:*
lenovothinksystem_modular_enclosure_7x22-cpe:2.3:h:lenovo:thinksystem_modular_enclosure_7x22:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
lenovo	system_management_module_firmware	*	cpe:2.3:o:lenovo:system_management_module_firmware::::::::
lenovo	thinkagile_hx_enclosure_7x81	-	cpe:2.3:h:lenovo:thinkagile_hx_enclosure_7x81:-:::::::*
lenovo	thinkagile_hx_enclosure_7y87	-	cpe:2.3:h:lenovo:thinkagile_hx_enclosure_7y87:-:::::::*
lenovo	thinkagile_hx_enclosure_7z02	-	cpe:2.3:h:lenovo:thinkagile_hx_enclosure_7z02:-:::::::*
lenovo	thinkagile_vx_enclosure_7y11	-	cpe:2.3:h:lenovo:thinkagile_vx_enclosure_7y11:-:::::::*
lenovo	thinkagile_vx_enclosure_7y91	-	cpe:2.3:h:lenovo:thinkagile_vx_enclosure_7y91:-:::::::*
lenovo	thinksystem_d2_enclosure_7x20	-	cpe:2.3:h:lenovo:thinksystem_d2_enclosure_7x20:-:::::::*
lenovo	thinksystem_modular_enclosure_7x22	-	cpe:2.3:h:lenovo:thinksystem_modular_enclosure_7x22:-:::::::*

CNA Affected

[
  {
    "product": "ThinkSystem SMM",
    "vendor": "Lenovo",
    "versions": [
      {
        "lessThan": "1.06",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

support.lenovo.com/us/en/solutions/LEN-24374

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

7.9

Confidence

High

EPSS

0.002

Percentile

60.7%

JSON

Related for CVE-2018-9083