CVE-2018-1992 — MEDIUM (6.4)

Q: How severe is CVE-2018-1992?

CVE-2018-1992 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-1992?

Check the references section above for vendor advisories and patch information. Affected products include: Ibm Power System S922 \(9009-22A\) Firmware, Ibm Power System S922 \(9009-22A\), Ibm Power System H922 \(9223-22H\) Firmware, Ibm Power System H922 \(9223-22H\), Ibm Power System S914 \(9009-41A\) Firmware.

Vulnerability Description

The IBM Power 9 OP910, OP920, and FW910 boot firmware's bootloader is responsible for loading and validating the initial boot firmware image that drives the rest of the system's hardware initialization. The bootloader firmware contains a buffer overflow vulnerability such that, if an attacker were able to replace the initial boot firmware image with a very carefully crafted and sufficiently large, malicious replacement, it could cause the bootloader, during the load of that image, to overwrite its own instruction memory and circumvent secure boot protections, install trojans, etc. IBM X-Force ID: 154345.

CVSS Score

6.4

MEDIUM

CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Ibm	Power System S922 \(9009-22A\) Firmware	< fw910.10
Ibm	Power System S922 \(9009-22A\)	-
Ibm	Power System H922 \(9223-22H\) Firmware	< fw910.10
Ibm	Power System H922 \(9223-22H\)	-
Ibm	Power System S914 \(9009-41A\) Firmware	< fw910.10
Ibm	Power System S914 \(9009-41A\)	-
Ibm	Power System S924 \(9009-42A\) Firmware	< fw910.10
Ibm	Power System S924 \(9009-42A\)	-
Ibm	Power System H924 \(9223-42H\) Firmware	< fw910.10
Ibm	Power System H924 \(9223-42H\)	-
Ibm	Power System L922 \(9008-22L\) Firmware	< fw910.10
Ibm	Power System L922 \(9008-22L\)	-
Ibm	Power System Ac922 \(8335-Gtg\) Firmware	< op910.30
Ibm	Power System Ac922 \(8335-Gtg\)	-
Ibm	Power System Ac922 \(8335-Gth\) Firmware	< op920.10
Ibm	Power System Ac922 \(8335-Gth\)	-
Ibm	Power System Ac922 \(8335-Gtx\) Firmware	< op920.10
Ibm	Power System Ac922 \(8335-Gtx\)	-
Ibm	Power System Lc921 \(9006-12P\) Firmware	< op920.10
Ibm	Power System Lc921 \(9006-12P\)	-

Related Weaknesses (CWE)

CWE-119

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/154345VDB EntryVendor Advisory
https://www.ibm.com/support/docview.wss?uid=ibm10868992Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/154345VDB EntryVendor Advisory
https://www.ibm.com/support/docview.wss?uid=ibm10868992Vendor Advisory

FAQ

What is CVE-2018-1992?

CVE-2018-1992 is a vulnerability with a CVSS score of 6.4 (MEDIUM). The IBM Power 9 OP910, OP920, and FW910 boot firmware's bootloader is responsible for loading and validating the initial boot firmware image that drives the rest of the system's hardware initializatio...

How severe is CVE-2018-1992?

CVE-2018-1992 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1992?

Check the references section above for vendor advisories and patch information. Affected products include: Ibm Power System S922 \(9009-22A\) Firmware, Ibm Power System S922 \(9009-22A\), Ibm Power System H922 \(9223-22H\) Firmware, Ibm Power System H922 \(9223-22H\), Ibm Power System S914 \(9009-41A\) Firmware.