CVE-2018-9068 in Lenovo System X
Summary
by MITRE
The IMM2 First Failure Data Capture function collects management module logs and diagnostic information when a hardware error is detected. This information is made available for download through an SFTP server hosted on the IMM2 management network interface. In versions earlier than 4.90 for Lenovo System x and earlier than 6.80 for IBM System x, the credentials to access the SFTP server are hard-coded and described in the IMM2 documentation, allowing an attacker with management network access to obtain the collected FFDC data. After applying the update, the IMM2 will create random SFTP credentials for use with OneCLI.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/10/2020
The vulnerability described in CVE-2018-9068 resides within the IMM2 (Integrated Management Module 2) firmware used in Lenovo and IBM System x servers, representing a critical security weakness in the first failure data capture mechanism that is designed to collect diagnostic information during hardware failures. This function operates by gathering management module logs and system diagnostic data when hardware errors occur, creating a valuable repository of information that can reveal system vulnerabilities, configuration issues, and potential attack vectors. The IMM2's SFTP server functionality serves as the mechanism for downloading this sensitive FFDC (First Failure Data Capture) information, making it a potential target for adversaries seeking to exploit system weaknesses.
The technical flaw stems from the implementation of hard-coded SFTP credentials within the IMM2 firmware versions prior to 4.90 for Lenovo systems and 6.80 for IBM systems, directly violating security best practices and creating a persistent authentication vulnerability. This hard-coding approach means that the same username and password combinations are embedded within the firmware documentation and accessible to anyone with knowledge of the system's management network interface. The vulnerability maps to CWE-798, which specifically addresses the use of hard-coded credentials, and represents a classic case of insecure credential storage that allows unauthorized access to sensitive diagnostic data. The attackers who gain management network access can easily retrieve these pre-configured credentials from the documentation and access the SFTP server to download the collected FFDC data without requiring additional authentication mechanisms or user interaction.
The operational impact of this vulnerability extends beyond simple information disclosure, as the FFDC data contains comprehensive diagnostic information about the system's hardware state, configuration settings, and error conditions that can provide attackers with detailed insights into the target environment. This information can be leveraged for further exploitation attempts, including identifying system weaknesses, understanding hardware configurations, and potentially discovering additional vulnerabilities within the management interface or related systems. The vulnerability creates a persistent backdoor for attackers who have gained access to the management network, as they can repeatedly access this data without needing to perform additional authentication challenges. This aspect of the vulnerability aligns with ATT&CK technique T1082, which covers system information discovery, and T1005, which involves data from local system, as adversaries can systematically harvest diagnostic information that reveals system characteristics and potential attack surfaces.
The remediation approach implemented by the firmware updates addresses the core issue by introducing dynamic credential generation for the SFTP server functionality, specifically through the OneCLI interface as mentioned in the vulnerability description. This change ensures that each SFTP session uses randomly generated credentials that are not exposed in documentation or embedded within the firmware, significantly reducing the attack surface. The update process transforms the vulnerability from a persistent threat that requires only knowledge of documented credentials to a more complex attack that would require active exploitation of the management interface or additional authentication bypass techniques. Organizations should ensure that all affected IMM2 systems are updated to versions 4.90 or later for Lenovo systems and 6.80 or later for IBM systems, as these updates implement proper credential management and eliminate the hard-coded authentication mechanism that made the vulnerability exploitable. The mitigation strategy effectively addresses the root cause by implementing dynamic credential generation and proper authentication mechanisms, aligning with security frameworks that emphasize the importance of avoiding hard-coded credentials and implementing secure credential management practices.