Lucene search

LenovoCVE-2018-9084

HistoryNov 27, 2018 - 2:29 p.m.

CVE-2018-9084

2018-11-2714:29:00

lenovo

web.nvd.nist.gov

cve-2018-9084

system management module

smm

software update validation

security vulnerability

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

22.7%

JSON

In System Management Module (SMM) versions prior to 1.06, if an attacker manages to log in to the device OS, the validation of software updates can be circumvented.

Affected configurations

Nvd

Node

lenovosystem_management_module_firmwareRange<1.06

AND

lenovothinkagile_hx_enclosure_7x81Match-

lenovothinkagile_hx_enclosure_7y87Match-

lenovothinkagile_hx_enclosure_7z02Match-

lenovothinkagile_vx_enclosure_7y11Match-

lenovothinkagile_vx_enclosure_7y91Match-

lenovothinksystem_d2_enclosure_7x20Match-

lenovothinksystem_modular_enclosure_7x22Match-

VendorProductVersionCPE
lenovosystem_management_module_firmware*cpe:2.3:o:lenovo:system_management_module_firmware:*:*:*:*:*:*:*:*
lenovothinkagile_hx_enclosure_7x81-cpe:2.3:h:lenovo:thinkagile_hx_enclosure_7x81:-:*:*:*:*:*:*:*
lenovothinkagile_hx_enclosure_7y87-cpe:2.3:h:lenovo:thinkagile_hx_enclosure_7y87:-:*:*:*:*:*:*:*
lenovothinkagile_hx_enclosure_7z02-cpe:2.3:h:lenovo:thinkagile_hx_enclosure_7z02:-:*:*:*:*:*:*:*
lenovothinkagile_vx_enclosure_7y11-cpe:2.3:h:lenovo:thinkagile_vx_enclosure_7y11:-:*:*:*:*:*:*:*
lenovothinkagile_vx_enclosure_7y91-cpe:2.3:h:lenovo:thinkagile_vx_enclosure_7y91:-:*:*:*:*:*:*:*
lenovothinksystem_d2_enclosure_7x20-cpe:2.3:h:lenovo:thinksystem_d2_enclosure_7x20:-:*:*:*:*:*:*:*
lenovothinksystem_modular_enclosure_7x22-cpe:2.3:h:lenovo:thinksystem_modular_enclosure_7x22:-:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
lenovo	system_management_module_firmware	*	cpe:2.3:o:lenovo:system_management_module_firmware::::::::
lenovo	thinkagile_hx_enclosure_7x81	-	cpe:2.3:h:lenovo:thinkagile_hx_enclosure_7x81:-:::::::*
lenovo	thinkagile_hx_enclosure_7y87	-	cpe:2.3:h:lenovo:thinkagile_hx_enclosure_7y87:-:::::::*
lenovo	thinkagile_hx_enclosure_7z02	-	cpe:2.3:h:lenovo:thinkagile_hx_enclosure_7z02:-:::::::*
lenovo	thinkagile_vx_enclosure_7y11	-	cpe:2.3:h:lenovo:thinkagile_vx_enclosure_7y11:-:::::::*
lenovo	thinkagile_vx_enclosure_7y91	-	cpe:2.3:h:lenovo:thinkagile_vx_enclosure_7y91:-:::::::*
lenovo	thinksystem_d2_enclosure_7x20	-	cpe:2.3:h:lenovo:thinksystem_d2_enclosure_7x20:-:::::::*
lenovo	thinksystem_modular_enclosure_7x22	-	cpe:2.3:h:lenovo:thinksystem_modular_enclosure_7x22:-:::::::*

CNA Affected

[
  {
    "product": "ThinkSystem SMM",
    "vendor": "Lenovo",
    "versions": [
      {
        "lessThan": "1.06",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

support.lenovo.com/us/en/solutions/LEN-24374

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

AI Score

Confidence

High

EPSS

0.001

Percentile

22.7%

JSON

Related for CVE-2018-9084