Hardcoded credentials

2018-07-2619:29:00

PRIOn knowledge base

www.prio-n.com

7.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.1%

JSON

The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier than 4.90 for Lenovo System x and earlier than 6.80 for IBM System x, the credentials to access the SFTP server are hard-coded and described in the IMM2 documentation, allowing an attacker with management network access to obtain the collected FFDC data. After applying the update, the IMM2 will create random SFTP credentials for use with OneCLI.

CPENameOperatorVersion
bladecenter_hs22_firmwarelt6.80
bladecenter_hs23_firmwarelt6.80
bladecenter_hs23e_firmwarelt6.80
flex_system_x220_m4_firmwarelt6.80
flex_system_x222_m4_firmwarelt6.80
flex_system_x240_m4_firmwarelt6.80
flex_system_x280_m4_firmwarelt6.80
flex_system_x440_m4_firmwarelt6.80
flex_system_x480_m4_firmwarelt6.80
flex_system_x880_m4_firmwarelt6.80

Name	Operator	Version
bladecenter_hs22_firmware	lt	6.80
bladecenter_hs23_firmware	lt	6.80
bladecenter_hs23e_firmware	lt	6.80
flex_system_x220_m4_firmware	lt	6.80
flex_system_x222_m4_firmware	lt	6.80
flex_system_x240_m4_firmware	lt	6.80
flex_system_x280_m4_firmware	lt	6.80
flex_system_x440_m4_firmware	lt	6.80
flex_system_x480_m4_firmware	lt	6.80
flex_system_x880_m4_firmware	lt	6.80