CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
48.6%
The administrative IPMI credentials for authenticating communications between the IBM BladeCenter Advanced Management Module (AMM), Integrated Management Module (IMM), and Integrated Management Module 2 (IMM2) are stored in plaintext within the AMM firmware binaries.
The administrative IPMI credentials for authenticating communications between the IBM BladeCenter Advanced Management Module (AMM), Integrated Management Module (IMM), and Integrated Management Module 2 (IMM2) are stored in plaintext within the AMM firmware binaries.
Vulnerability Details:
CVE ID: CVE-2014-0860 **
Description:The administrative IPMI credentials for authenticating communications between the AMM and IMM β they are stored in plaintext within the firmware binaries. Using these credentials, any user with access to a bladeβs IMM management interface (either via the chassis internal network or in-band through the IMMβs Ethernet over USB interface) can send it arbitrary IPMI commands. This includes the ability to create new IMM management accounts with supervisor privileges which could then be used to connect to the bladeβs remote console facility. CVSS Base Score: 4.0
CVSS Temporal Score:** See <http://xforce.iss.net/xforce/xfdb/90880> for the current score**
CVSS Environmental Score*:** Undefined**
CVSS Vector:** (AV:N/AC:L/Au:S/C:P/I:N/A:N)
These IBM BladeCenter Advanced Management Module Firmware versions are affected in v3.66D (BPET66D, BBET66D, BPEO66D) and previous versions.
These IBM Integrated Management Module Firmware versions are affected in 1.42, YUOOG2C and previous versions.
This applies to the following hardware products:
Affected IBM BladeCenter HS23 and HS23E firmware versions:
The recommended solution is to apply the fix to all previous versions as soon as practical. Please see below for information on the fixes available
Fix:
IBM recommends applying Advanced Management Module firmware version v3.66E (BPET66E, BBET66E, BPEO66E).
IBM recommends applying Integrated Management Module to 1.43 YUOOG6B or later to IBM BladeCenter HS22, HX5.
IBM recommends applying Integrated Management Module II firmware version v4.15 (1AOO58K) to the IBM BladeCenter HS23 and HS23E.
None.
Related Information:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
12 May 2014: Original Copy Published
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an βindustry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.β IBM PROVIDES THE CVSS SCORES βAS ISβ WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.