First published: Tue Nov 27 2018(Updated: )
In System Management Module (SMM) versions prior to 1.06, the SMM contains weak default root credentials which could be used to log in to the device OS -- if the attacker manages to enable SSH or Telnet connections via some other vulnerability.
Credit: psirt@lenovo.com
Affected Software | Affected Version | How to fix |
---|---|---|
Lenovo System Management Module firmware | <1.06 | |
Lenovo ThinkAgile HX Enclosure 7x81 | ||
Lenovo ThinkAgile HX Enclosure 7Y87 | ||
Lenovo ThinkAgile HX Enclosure 7Z02 | ||
Lenovo ThinkAgile VX Enclosure 7Y11 | ||
Lenovo ThinkAgile VX Enclosure 7Y91 | ||
Lenovo ThinkSystem D2 Enclosure | ||
Lenovo ThinkSystem Modular Enclosure 7x22 |
Update SMM firmware
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-9083 has a critical severity rating due to the presence of weak default root credentials allowing unauthorized access.
To fix CVE-2018-9083, update the Lenovo System Management Module firmware to version 1.06 or later.
CVE-2018-9083 affects Lenovo System Management Module firmware versions prior to 1.06.
An attacker can potentially log in to the device OS using weak default credentials if SSH or Telnet is enabled.
While there is no public exploit specifically noted for CVE-2018-9083, the vulnerability itself poses a significant security risk.