IBMF44D7489010CD95C6AFE3D6DCC85A380F24AA7BCD20D2C3DFC2603EAB3158D39Security Bulletin: This Power System update is being released to address CVE-2023-37453
4.6 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
6.3 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.3%
Summary
This affects the BMC’s physical USB ports.
Vulnerability Details
CVEID:CVE-2023-37453
**DESCRIPTION:**Linux Kernel is vulnerable to a denial of service, caused by an out-of-bounds flaw in the read_descriptors function in drivers/usb/core/sysfs.c in the USB subsystem. By using a specially crafted USB device, a physical attacker could exploit this vulnerability to cause the system to crash.
CVSS Base score: 4.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259996 for the current score.
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| OPENBMC | FW1050.00 - FW1050.10 |
Remediation/Fixes
Customers with the products below should install FW1050.11(1050_070) or newer to remediate this vulnerability.
Power 10
- IBM Power System S1022 (9105-22A)
- IBM Power System S1024 (9105-42A)
- IBM Power System S1022S (9105-22B)
- IBM Power System S1014 (9105-41B)
- IBM Power System E1050 (9043-MRX)
- IBM Power System L1022 (9786-22H)
- IBM Power System L1024 (9786-42H)
Workarounds and Mitigations
Prevent physical access to the BMC’s USB ports.
Related
4.6 Medium
CVSS3
Attack Vector
PHYSICAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
6.3 Medium
AI Score
Confidence
High
0.0005 Low
EPSS
Percentile
17.3%