16 September 21, 16:46
Quote:Two legacy IBM System x server models, retired in 2019, are open to attack and will not receive security patches, according to hardware maker Lenovo. However, the company is offering workaround mitigation.
The two models, IBM System x 3550 M3 and IBM System x 3650 M3, are both vulnerable to command injection attacks. The bug allows an adversary to execute arbitrary commands on either server model’s operating system via a vulnerable application called Integrated Management Module (IMM).
IMM is used for systems-management functions. On the back panel of System x models, serial and Ethernet connectors use the IMM for device management. The flaw, according to a Lenovo advisory posted Tuesday, is in the IMM firmware code and “could allow the execution of operating system commands over an authenticated SSH or Telnet session.”
SSH or Secure Shell is a cryptographic network communication protocol allowing two computers to communicate or share data. Telnet is another network protocol that allows remote users to log into another computer on the same network. Telnet, by default, does not encrypt data sent over its connection.
The bug, tracked as CVE-2021-3723, was disclosed on Wednesday and bug hunter Denver Abrey is credited for finding it.
Read more: No Patch for High-Severity Bug in Legacy IBM System X Servers | Threatpost