CVE-2014-0860

EUVD-2014-0890

07.07.2014, 11:01

The firmware before 3.66E in IBM BladeCenter Advanced Management Module (AMM), the firmware before 1.43 in IBM Integrated Management Module (IMM), and the firmware before 4.15 in IBM Integrated Management Module II (IMM2) contains cleartext IPMI credentials, which allows attackers to execute arbitrary IPMI commands, and consequently establish a blade remote-control session, by leveraging access to (1) the chassis internal network or (2) the Ethernet-over-USB interface.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5 UNKNOWN	NETWORK	LOW		AV:N/AC:L/Au:N/C:P/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 46%

Affected Products (NVD)

Vendor	Product	Version
ibm	integrated_management_module_firmware	𝑥 ≤ 1.36
ibm	integrated_management_module	-
ibm	advanced_management_module_firmware	𝑥 ≤ 3.65
ibm	advanced_management_module	-
ibm	integrated_management_module_ii_firmware	𝑥 ≤ 3.65
ibm	integrated_management_module_ii	-

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-310 -

References

http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095840

https://exchange.xforce.ibmcloud.com/vulnerabilities/90880

http://www.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095840

https://exchange.xforce.ibmcloud.com/vulnerabilities/90880