Allele Security Alert
ASA-2018-00049
Identifier(s)
ASA-2018-00049, CVE-2018-9085, LEN-24477
Title
Missing System x Flash Memory Write Protection Lock Bit
Vendor(s)
Lenovo
Product(s)
System x – Lenovo
System x (IBM)
Affected version(s)
Flex System x240 M4
Flex System x440 M4
System x3750 M4
BladeCenter HS23
BladeCenter HS23E
Flex System x220 M4
Flex System x222 M4
Flex System x240 M4
Flex System x280
Flex System x440 M4
Flex System x480 X6
Flex System x880
iDataPlex dx360 M4
iDataPlex dx360 M4 Water Cooled
NeXtScale nx360 M4
System x3100 M4
System x3100 M5
System x3250 M4
System x3250 M5
System x3300 M4
System x3500 M4
System x3530 M4
System x3550 M4
System x3630 M4
System x3650 M4
System x3650 M4 BD
System x3650 M4 HD
System x3750 M4
System x3850 X6
System x3950 X6
Fixed version(s)
Flex System x240 M4 A3E122B
Flex System x440 M4 CGE122B
System x3750 M4 A5E124B
BladeCenter HS23 tke160c
BladeCenter HS23E ahe160c
Flex System x220 M4 kse158c
Flex System x222 M4 cce160c
Flex System x240 M4 ahe160c
Flex System x280 n3e132w
Flex System x440 M4 cne162d
Flex System x480 X6 n3e132w
Flex System x880 n2e130e
iDataPlex dx360 M4 fhe120d
iDataPlex dx360 M4 Water Cooled fhe120d
NeXtScale nx360 M4 fhe120d
System x3100 M4 jqe184c
System x3100 M5 j9e134c
System x3250 M4 jqe184c
System x3250 M5 jue134c
System x3300 M4 yae156c
System x3500 M4 y5e158c
System x3530 M4 bee164c
System x3550 M4 D7E166D
System x3630 M4 VVE162C
System x3650 M4 vve160c
System x3650 M4 BD vve160c
System x3650 M4 HD vve160c
System x3750 M4 koe160c
System x3850 X6 a8e128c
System x3950 X6 bee164c
Proof of concept
Unknown
Description
A write protection lock bit was left unset after boot on an older generation of System x server, potentially allowing an attacker with administrator access to modify the subset of flash memory containing Intel Server Platform Services (SPS) and the system Flash Descriptors. Other system firmware remains protected and unmodifiable, such as UEFI (BIOS) or IMM2.
Technical details
Unknown
Credits
Unknown
Reference(s)
LEN-24477https://support.lenovo.com/us/en/solutions/LEN-24477
CVE-2018-9085
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-9085
CVE-2018-9085
https://nvd.nist.gov/vuln/detail/CVE-2018-9085
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 6, 2019