CVE-2018-16095

In System Management Module SMM versions prior to 1.06, the SMM records hashed passwords to a debug log when user authentication fails...

CVE-2018-16089

In System Management Module SMM versions prior to 1.06, a field in the header of SMM firmware update images is insufficiently sanitized, allowing post-authentication command injection on the SMM as the root user...

CVE-2018-16089

The CVE-2018-16089 entry concerns Lenovo System Management Module (SMM) firmware. A field in the header of SMM firmware update images in SMM versions prior to 1.06 is insufficiently sanitized, enabling post-authentication command injection on the SMM as the root user. The Lenovo advisory LEN-2437...

CVE-2018-16092

CVE-2018-16092 affects Lenovo System Management Module (SMM) firmware prior to 1.06. The FFDC feature collects SMM system files, including sensitive data such as SMM user credentials and the system shadow file. This exposure could lead to confidentiality impact if FFDC data is accessed or misused...

CVE-2018-16096

The CVE-2018-16096 issue affects Lenovo System Management Module (SMM) firmware prerelease 1.06, where the SMM web interface for changing Enclosure VPD fails to sanitize all HTML inputs, creating a cross-site scripting risk. The vulnerability is documented alongside other SMM flaws in Lenovo LEN-...

CVE-2018-16094

Affected component: Lenovo System Management Module (SMM) firmware. Vulnerability: In SMM versions prior to 1.06, an internal function that retrieves configuration settings is susceptible to a buffer overflow. Impact: Exploitation could compromise SMM processing semantics as described in the Leno...

CVE-2018-16091 System Management Module Vulnerabilities

In System Management Module SMM versions prior to 1.06, the SMM certificate creation and parsing logic is vulnerable to several buffer overflows...

CVE-2018-9084 System Management Module Vulnerabilities

In System Management Module SMM versions prior to 1.06, if an attacker manages to log in to the device OS, the validation of software updates can be circumvented...

CVE-2018-9083

Consolidated details show CVE-2018-9083 affects Lenovo System Management Module (SMM) firmware prior to 1.06, where weak default root credentials could allow login to the device OS if SSH/Telnet is enabled via another vulnerability. The Lenovo advisories LEN-24374 and PS500189 summarize remediati...

CVE-2018-16092 System Management Module Vulnerabilities

In System Management Module SMM versions prior to 1.06, the FFDC feature includes the collection of SMM system files containing sensitive information; notably, the SMM user account credentials and the system shadow file...

CVE-2018-16091

CVE-2018-16091 affects Lenovo System Management Module firmware older than 1.06, where the SMM certificate creation/parsing logic is vulnerable to several buffer overflows. The Lenovo advisory LEN-24374 lists this CVE among others and recommends upgrading SMM firmware to a newer level, and applyi...

CVE-2018-16090 System Management Module Vulnerabilities

In System Management Module SMM versions prior to 1.06, the SMM certificate creation and parsing logic is vulnerable to post-authentication command injection...

CVE-2018-9084

CVE-2018-9084 affects Lenovo System Management Module (SMM) firmware prior to 1.06. If an attacker logs into the device OS, the validation of software updates can be circumvented. The Lenovo advisory LEN-24374 recommends upgrading SMM firmware to the stated level for your model and applying stand...

CVE-2018-16095

CVE-2018-16095 affects Lenovo System Management Module (SMM) firmware prior to 1.06. When authentication fails, the SMM records hashed passwords to a debug log, potentially exposing credentials. Impact is credential exposure within the SMM environment as described by Lenovo’s vulnerability notes....

CVE-2018-16090

The CVE-2018-16090 vulnerability affects Lenovo System Management Module (SMM) firmware prior to 1.06, where the certificate creation and parsing logic allows post-authentication command injection. The Lenovo advisory LEN-24374 documents this issue and links it to several SMM-related CVEs; for CV...

Lenovo Chassis Management Module (CMM) Information Disclosure Vulnerability (CNVD-2019-05532)

The Lenovo Chassis Management Module CMM is a hot-swappable Lenovo Flex System module that can be used to configure and manage all installed Lenovo Flex System components. An information disclosure vulnerability exists in Lenovo CMM versions prior to 2.0.0, which can be exploited by an attacker t...

CVE-2018-9073

Lenovo Chassis Management Module CMM prior to version 2.0.0 utilizes a hardcoded encryption key to protect certain secrets. Possession of the key can allow an attacker that has already compromised the server to decrypt these secrets...

CVE-2018-9071

Lenovo Chassis Management Module CMM prior to version 2.0.0 allows unauthenticated users to retrieve information related to the current authentication configuration settings. Exposed settings relate to password lengths, expiration, and lockout configuration...

Authentication flaw

Lenovo Chassis Management Module CMM prior to version 2.0.0 allows unauthenticated users to retrieve information related to the current authentication configuration settings. Exposed settings relate to password lengths, expiration, and lockout configuration...

CVE-2018-9071

Lenovo Chassis Management Module CMM prior to version 2.0.0 allows unauthenticated users to retrieve information related to the current authentication configuration settings. Exposed settings relate to password lengths, expiration, and lockout configuration...