- Chassis Management Module's SNMPv3 and LDAP user id and passwords, Integrated Management Module 2 local passwords and private keys may be exposed to unauthorized entities as part of service or maintenance activity
CVE ID: CVE-2012-4838
Code defect may cause Flex System IBM Integrated Management Module 2 (IMM2) local accounts and IMM2 SSH and/or SSL/TLS private keys to be exposed through service or maintenance activity. It may also cause SNMPv3 and LDAP user ids and passwords which are managed by the Chassis Management Module to be exposed through service or maintenance activity.
The following Flex System IMM2 code levels may exhibit this issue:
- 1.34 (1AOO28Q)
- 1.45 (1AOO28S)
- 1.60 (1AOO32P)
Flex System Manager Update Packs which include the above builds (versions 1.1.0, 18.104.22.168, and 1.1.1)
The following CMM code levels may exhibit this issue:
All builds 1.00.0 to 1.20.2 (2PET10A to 2PET10I)
Flex System Manager Update Packs which include the above builds (versions 1.1.0 and 22.214.171.124)
CVSS Base Score: 1.9
CVSS Temporal Score: Undefined
CVSS Environmental Score*: See http://xforce.iss.net/xforce/xfdb/79020 for the current score
CVSS String: (AV:L/AC:M/Au:N/C:P/I:N/A:N)
List the affected versions/releases/platforms, as best possible.
- Flex System Chassis Management Module, Option part number 68Y7029
- Flex System Enterprise Chassis, type 7893, any model
- Flex System Enterprise Chassis, type 8721, any model
- Flex System Enterprise Chassis, type 8724, any model
- Flex System Manager Node, type 7955, any model
- Flex System Manager Node, type 8731, any model
- Flex System Manager Node, type 8734, any model
- Flex System x220 Compute Node, type 2585, any model
- Flex System x220 Compute Node, type 7864, any model
- Flex System x220 Compute Node, type 7906, any model
- Flex System x240 Compute Node, type 8737, any model
- Flex System x240 Compute Node, type 8738, any model
- Flex System x440 Compute Node, type 2584, any model
- Flex System x440 Compute Node, type 7917, any model
IBM strongly recommends the following to address the potential security vulnerability:
- Apply the fix for CMM by updating to 1.40.0 (2PET10J) or later. This may be downloaded separately or found in Flex System Manager update package 1.2.0 or later.
- Apply the fix for IMM2 by updating to 1.85 (1AOO34Y) or later. (For the Flex System Manager, installing update package 1.2.0 or later will update the IMM2 on the appliance.)
- Change passwords for CMM SNMP v3 and LDAP accounts.
- Change passwords for IMM2 local accounts.
- It is also recommended to change passwords for any other accounts that use the same user id and password as any of the above accounts.
- If you would like to create new IMM2 private keys, backup the IMM2, reset it to defaults, and restore from the backup.
Please see below for information on the firmware fixes available.
Zip Update Package : http://www.ibm.com/support/fixcentral
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response."
IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.