CVE-2017-3768 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2017-3768?

CVE-2017-3768 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-3768?

Check the references section above for vendor advisories and patch information. Affected products include: Lenova Flex System X240 M5 Firmware, Lenova Flex System X240 M5, Lenova Flex System X280 X6 Firmware, Lenova Flex System X280 X6, Lenova Flex System X440 M4 Firmware.

Vulnerability Description

An unprivileged attacker with connectivity to the IMM2 could cause a denial of service attack on the IMM2 (Versions earlier than 4.4 for Lenovo System x and earlier than 6.4 for IBM System x). Flooding the IMM2 with a high volume of authentication failures via the Common Information Model (CIM) used by LXCA and OneCLI and other tools can exhaust available system memory which can cause the IMM2 to reboot itself until the requests cease.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Lenova	Flex System X240 M5 Firmware	< 4.4
Lenova	Flex System X240 M5	-
Lenova	Flex System X280 X6 Firmware	< 4.4
Lenova	Flex System X280 X6	-
Lenova	Flex System X440 M4 Firmware	< 4.4
Lenova	Flex System X440 M4	-
Lenova	Flex System X480 X6 Firmware	< 4.4
Lenova	Flex System X480 X6	-
Lenova	Flex System X880 Firmware	< 4.4
Lenova	Flex System X880	-
Lenova	Nextscale Nx360 M5 Firmware	< 4.4
Lenova	Nextscale Nx360 M5	-
Lenova	System X3250 M6 Firmware	< 4.4
Lenova	System X3250 M6	-
Lenova	System X3500 M5 Firmware	< 4.4
Lenova	System X3500 M5	-
Lenova	System X3550 M5 Firmware	< 4.4
Lenova	System X3550 M5	-
Lenova	System X3650 M5 Firmware	< 4.4
Lenova	System X3650 M5	-

Related Weaknesses (CWE)

CWE-400

References

https://support.lenovo.com/us/en/product_security/LEN-14450Vendor Advisory
https://support.lenovo.com/us/en/product_security/LEN-14450Vendor Advisory

FAQ

What is CVE-2017-3768?

CVE-2017-3768 is a vulnerability with a CVSS score of 7.5 (HIGH). An unprivileged attacker with connectivity to the IMM2 could cause a denial of service attack on the IMM2 (Versions earlier than 4.4 for Lenovo System x and earlier than 6.4 for IBM System x). Floodin...

How severe is CVE-2017-3768?

CVE-2017-3768 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-3768?

Check the references section above for vendor advisories and patch information. Affected products include: Lenova Flex System X240 M5 Firmware, Lenova Flex System X240 M5, Lenova Flex System X280 X6 Firmware, Lenova Flex System X280 X6, Lenova Flex System X440 M4 Firmware.