cnvd - cnvd-2017-13250

cnvd-2017-13250

Vulnerability from cnvd

Title: Lenovo System x IMM2固件证书获取漏洞

Description:

Lenovo System x IMM2是联想服务器使用在其中的固件，它提供远程监控和控制服务器的功能。

Lenovo System x IMM2存在安全漏洞，攻击者可以利用漏洞获取登录证书。

Severity: 中

Patch Name: Lenovo System x IMM2固件证书获取漏洞的补丁

Patch Description:

Lenovo System x IMM2是联想服务器使用在其中的固件，它提供远程监控和控制服务器的功能。

Lenovo System x IMM2存在安全漏洞，攻击者可以利用漏洞获取登录证书。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

用户可参考如下厂商提供的安全补丁以修复该漏洞： https://support.lenovo.com/us/zh/product_security/len-14054

Reference: https://support.lenovo.com/us/zh/product_security/len-14054

Impacted products

Name
Lenovo Flex System x240 M4 <=4.10

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-3744"
    }
  },
  "description": "Lenovo System x IMM2\u662f\u8054\u60f3\u670d\u52a1\u5668\u4f7f\u7528\u5728\u5176\u4e2d\u7684\u56fa\u4ef6\uff0c\u5b83\u63d0\u4f9b\u8fdc\u7a0b\u76d1\u63a7\u548c\u63a7\u5236\u670d\u52a1\u5668\u7684\u529f\u80fd\u3002\r\n\r\nLenovo System x IMM2\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u767b\u5f55\u8bc1\u4e66\u3002",
  "discovererName": "Lenovo",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttps://support.lenovo.com/us/zh/product_security/len-14054",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-13250",
  "openTime": "2017-07-07",
  "patchDescription": "Lenovo System x IMM2\u662f\u8054\u60f3\u670d\u52a1\u5668\u4f7f\u7528\u5728\u5176\u4e2d\u7684\u56fa\u4ef6\uff0c\u5b83\u63d0\u4f9b\u8fdc\u7a0b\u76d1\u63a7\u548c\u63a7\u5236\u670d\u52a1\u5668\u7684\u529f\u80fd\u3002\r\n\r\nLenovo System x IMM2\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6f0f\u6d1e\u83b7\u53d6\u767b\u5f55\u8bc1\u4e66\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Lenovo System x IMM2\u56fa\u4ef6\u8bc1\u4e66\u83b7\u53d6\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Lenovo Flex System x240 M4 \u003c=4.10"
  },
  "referenceLink": "https://support.lenovo.com/us/zh/product_security/len-14054",
  "serverity": "\u4e2d",
  "submitTime": "2017-07-05",
  "title": "Lenovo System x IMM2\u56fa\u4ef6\u8bc1\u4e66\u83b7\u53d6\u6f0f\u6d1e"
}

CVE-2017-3744 (GCVE-0-2017-3744)

Vulnerability from cvelistv5

Published

2017-06-20 00:00

Modified

2024-08-05 14:39

Severity ?

CWE

Disclosure of login credentials to user with local privileges

Summary

In the IMM2 firmware of Lenovo System x servers, remote commands issued by LXCA or other utilities may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated when that remote command is running. Captured command data may contain clear text login information. Authorized users that can capture and export FFDC service log data may have access to these remote commands.

References

▼	URL	Tags
	https://support.lenovo.com/product_security/LEN-14054	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Lenovo Group Ltd.	Lenovo System x IMM2	Version: Lenovo System x IMM2 firmware versions earlier than 4.10 and IBM System x IMM2 firmware versions earlier than 6.20

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T14:39:41.051Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://support.lenovo.com/product_security/LEN-14054"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Lenovo System x IMM2",
          "vendor": "Lenovo Group Ltd.",
          "versions": [
            {
              "status": "affected",
              "version": "Lenovo System x IMM2 firmware versions earlier than 4.10 and IBM System x IMM2 firmware versions earlier than 6.20"
            }
          ]
        }
      ],
      "datePublic": "2017-06-08T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In the IMM2 firmware of Lenovo System x servers, remote commands issued by LXCA or other utilities may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated when that remote command is running. Captured command data may contain clear text login information. Authorized users that can capture and export FFDC service log data may have access to these remote commands."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Disclosure of login credentials to user with local privileges",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2017-06-19T23:57:01",
        "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
        "shortName": "lenovo"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://support.lenovo.com/product_security/LEN-14054"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "psirt@lenovo.com",
          "ID": "CVE-2017-3744",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Lenovo System x IMM2",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Lenovo System x IMM2 firmware versions earlier than 4.10 and IBM System x IMM2 firmware versions earlier than 6.20"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Lenovo Group Ltd."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In the IMM2 firmware of Lenovo System x servers, remote commands issued by LXCA or other utilities may be captured in the First Failure Data Capture (FFDC) service log if the service log is generated when that remote command is running. Captured command data may contain clear text login information. Authorized users that can capture and export FFDC service log data may have access to these remote commands."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Disclosure of login credentials to user with local privileges"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://support.lenovo.com/product_security/LEN-14054",
              "refsource": "CONFIRM",
              "url": "https://support.lenovo.com/product_security/LEN-14054"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b",
    "assignerShortName": "lenovo",
    "cveId": "CVE-2017-3744",
    "datePublished": "2017-06-20T00:00:00",
    "dateReserved": "2016-12-16T00:00:00",
    "dateUpdated": "2024-08-05T14:39:41.051Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted