Lucene search

K
ibmIBM93800CB903FCF930D2442012C501177682436E51AEBEA85D7632953A9A31B533
HistoryDec 07, 2023 - 10:45 p.m.

Security Bulletin: IBM Flex System switch firmware products are affected by vulnerabilities in the Kernel

2023-12-0722:45:07
www.ibm.com
25

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

32.3%

Summary

IBM Flex System switch firmware products have addressed the following Kernel vulnerabilities.

Vulnerability Details

CVEID:CVE-2020-13974
**DESCRIPTION:**Linux Kernel could allow a local attacker to execute arbitrary code on the system, caused by an integer overflow in the drivers/tty/vt/keyboard.c. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183251 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID:CVE-2020-10732
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a flaw in the implementation of Userspace core dumps. By sending a specially crafted request, an attacker could exploit this vulnerability to obtain sensitive information or cause a program to crash.
CVSS Base score: 3.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181554 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2020-14314
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by a memory out-of-bounds read flaw. By sending a specially crafted request, a local attacker could exploit this vulnerability to cause the system to crash.
CVSS Base score: 4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/188395 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2020-12770
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by an issue with sg_write lacks an sg_remove_request call in a certain failure case. By sending a specially-crafted request, a local attacker could exploit this vulnerability to cause a panic.
CVSS Base score: 6.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/181750 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Flex System EN2092 1Gb Ethernet Scalable Switch 7.8
IBM Flex System Fabric SI4093 GbFSIM 10Gb Scalable Switch 7.8
IBM Flex System Fabric EN4093/EN4093R 10Gb Scalable Switch 7.8
IBM Flex System CN4093 10Gb Converged Scalable Switch 7.8

Remediation/Fixes

Firmware fix versions are available on Fix Central: <http://www.ibm.com/support/fixcentral&gt;

Product Fix Version

IBM Flex System EN2092 1Gb Ethernet Scalable Switch firmware

(ibm_fw_scsw_en2092-7.8.27.0_anyos_noarch)

| 7.8.27.0

IBM Flex System Fabric SI4093 System Interconnect Module firmware

(ibm_fw_scsw_si4093-7.8.27.0_anyos_noarch)

| 7.8.27.0

IBM Flex System Fabric EN4093/EN4093R 10Gb Scalable Switch firmware

(ibm_fw_scsw_en4093r-7.8.27.0_anyos_noarch)

| 7.8.27.0

IBM Flex System CN4093 10Gb Converged Scalable Switch firmware

(ibm_fw_scsw_cn4093-7.8.27.0_anyos_noarch)

| 7.8.27.0

Workarounds and Mitigations

None

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

32.3%