ASA-2018-00049 – Lenovo: Missing System x Flash Memory Write Protection Lock Bit

Allele Security Alert



ASA-2018-00049, CVE-2018-9085, LEN-24477


Missing System x Flash Memory Write Protection Lock Bit




System x – Lenovo

System x (IBM)

Affected version(s)

Flex System x240 M4
Flex System x440 M4
System x3750 M4
BladeCenter HS23
BladeCenter HS23E
Flex System x220 M4
Flex System x222 M4
Flex System x240 M4
Flex System x280
Flex System x440 M4
Flex System x480 X6
Flex System x880
iDataPlex dx360 M4
iDataPlex dx360 M4 Water Cooled
NeXtScale nx360 M4
System x3100 M4
System x3100 M5
System x3250 M4
System x3250 M5
System x3300 M4
System x3500 M4
System x3530 M4
System x3550 M4
System x3630 M4
System x3650 M4
System x3650 M4 BD
System x3650 M4 HD
System x3750 M4
System x3850 X6
System x3950 X6

Fixed version(s)

Flex System x240 M4 A3E122B
Flex System x440 M4 CGE122B
System x3750 M4 A5E124B
BladeCenter HS23 tke160c
BladeCenter HS23E ahe160c
Flex System x220 M4 kse158c
Flex System x222 M4 cce160c
Flex System x240 M4 ahe160c
Flex System x280 n3e132w
Flex System x440 M4 cne162d
Flex System x480 X6 n3e132w
Flex System x880 n2e130e
iDataPlex dx360 M4 fhe120d
iDataPlex dx360 M4 Water Cooled fhe120d
NeXtScale nx360 M4 fhe120d
System x3100 M4 jqe184c
System x3100 M5 j9e134c
System x3250 M4 jqe184c
System x3250 M5 jue134c
System x3300 M4 yae156c
System x3500 M4 y5e158c
System x3530 M4 bee164c
System x3550 M4 D7E166D
System x3630 M4 VVE162C
System x3650 M4 vve160c
System x3650 M4 BD vve160c
System x3650 M4 HD vve160c
System x3750 M4 koe160c
System x3850 X6 a8e128c
System x3950 X6 bee164c

Proof of concept



A write protection lock bit was left unset after boot on an older generation of System x server, potentially allowing an attacker with administrator access to modify the subset of flash memory containing Intel Server Platform Services (SPS) and the system Flash Descriptors. Other system firmware remains protected and unmodifiable, such as UEFI (BIOS) or IMM2.

Technical details








If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 6, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.