System Management Module (SMM v1 and v2) and Fan Power Controller (FPC) Vulnerabilities - Lenovo Support US

No description provided...

PT-2024-3582 · Lenovo · Thinkagile +3

Name of the Vulnerable Software and Affected Versions: Lenovo ThinkSystem, ThinkAgile, NeXtScale, and Lenovo CP-CB-10 affected versions not specified Description: The issue is related to an authentication bypass vulnerability in the System Management Module SMM/SMM2 and Fan Power Controller FPC...

PT-2024-3581 · Lenovo · Thinkagile +3

Name of the Vulnerable Software and Affected Versions: Lenovo ThinkSystem, ThinkAgile, NeXtScale, and Lenovo CP-CB-10 affected versions not specified SMM/SMM2 and FPC affected versions not specified Description: A command injection issue was identified in the System Management Module SMM/SMM2 and...

CVE-2023-2993

A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute...

CVE-2023-2992

An unauthenticated denial of service vulnerability exists in the SMM v1, SMM v2, and FPC management web server which can be triggered under crafted conditions. Rebooting SMM or FPC will restore access to the management web server...

CVE-2021-3897

An authentication bypass vulnerability was discovered in an internal service of the Lenovo Fan Power Controller2 FPC2 and Lenovo System Management Module SMM firmware during an that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected...

CVE-2021-3849

An authentication bypass vulnerability was discovered in the web interface of the Lenovo Fan Power Controller2 FPC2 and Lenovo System Management Module SMM firmware that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected...

CVE-2021-3897

CVE-2021-3897 describes an authentication bypass in internal services of Lenovo’s Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware, with SMM2 reportedly not affected. Multiple connected sources confirm the vulnerability could allow an unauthenticated attacker...

PT-2022-10823 · Lenovo · Lenovo System Management Module +1

Name of the Vulnerable Software and Affected Versions: Lenovo Fan Power Controller2 FPC2 and Lenovo System Management Module SMM firmware affected versions not specified SMM2 is not affected. Description: An authentication bypass issue was discovered in an internal service of the Lenovo Fan Power...

PT-2022-10733 · Lenovo · Lenovo System Management Module +1

Name of the Vulnerable Software and Affected Versions: Lenovo Fan Power Controller2 FPC2 affected versions not specified Lenovo System Management Module SMM affected versions not specified Description: An authentication bypass issue was found in the web interface of the Lenovo Fan Power Controlle...

Lenovo Fan Power Controller2 授权问题漏洞

Lenovo Fan Power Controller2 Lenovo Fpc2 is a fan power controller firmware from Lenovo China. A security vulnerability exists in the internal services of the Lenovo Fan Power Controller2 FPC2 and Lenovo System Management Module SMM firmware that could allow an unauthenticated attacker to execute...

Lenovo Fan Power Controller2和Lenovo System Management Module 授权问题漏洞

Lenovo Fan Power Controller2 Lenovo Fpc2 and Lenovo System Management Module Lenovo Smm are both products of the Chinese company Lenovo.Lenovo Fan Power Controller2 is a fan power controller firmware. Lenovo System Management Module is a system management module firmware. A security vulnerability...

Security Bulletin: IBM System x and Flex Systems OpenSSH Vulnerabilities (CVE-2012-0814, CVE-2008-5161)

Summary Older versions of OpenSSH, used by several System x and Flex Systems products, contain multiple vulnerabilities. Vulnerability Details Abstract Older versions of OpenSSH, used by several System x and Flex Systems products, contain multiple vulnerabilities. Content Vulnerability Details:...

CVE-2018-9083

In System Management Module SMM versions prior to 1.06, the SMM contains weak default root credentials which could be used to log in to the device OS -- if the attacker manages to enable SSH or Telnet connections via some other vulnerability...

CVE-2018-16089

In System Management Module SMM versions prior to 1.06, a field in the header of SMM firmware update images is insufficiently sanitized, allowing post-authentication command injection on the SMM as the root user...

CVE-2018-9083

In System Management Module SMM versions prior to 1.06, the SMM contains weak default root credentials which could be used to log in to the device OS -- if the attacker manages to enable SSH or Telnet connections via some other vulnerability...

CVE-2018-16094

In System Management Module SMM versions prior to 1.06, an internal SMM function that retrieves configuration settings is prone to a buffer overflow...

CVE-2018-16092

In System Management Module SMM versions prior to 1.06, the FFDC feature includes the collection of SMM system files containing sensitive information; notably, the SMM user account credentials and the system shadow file...

CVE-2018-16090

In System Management Module SMM versions prior to 1.06, the SMM certificate creation and parsing logic is vulnerable to post-authentication command injection...

CVE-2018-9084

In System Management Module SMM versions prior to 1.06, if an attacker manages to log in to the device OS, the validation of software updates can be circumvented...