CVE-2021-3849
First published: Fri Apr 22 2022(Updated: )
An authentication bypass vulnerability was discovered in the web interface of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected.
Credit: psirt@lenovo.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Lenovo Nextscale N1200 Enclosure Firmware | <fhet50b-2.90 | |
| Lenovo Nextscale N1200 Enclosure | ||
| Lenovo Thinkagile Hx Enclosure Certified Node Firmware | <tesm28b-1.21 | |
| Lenovo Thinkagile Hx Enclosure Certified Node | ||
| Lenovo Thinkagile Vx Enclosure Firmware | <tesm28b-1.21 | |
| Lenovo Thinkagile Vx Enclosure | ||
| Lenovo Thinksystem D2 Enclosure Firmware | <tesm28b-1.21 | |
| Lenovo Thinksystem D2 Enclosure | ||
| Ibm Nextscale Fan Power Controller Firmware | <44a-3.70 | |
| Ibm Nextscale Fan Power Controller |
Remedy
Upgrade to the firmware version (or newer) indicated for your model in the Product Impact section in LEN-72615.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2021-3849?
CVE-2021-3849 is an authentication bypass vulnerability in the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware that allows an unauthenticated attacker to execute commands on the SMM and FPC2.
What software is affected by CVE-2021-3849?
The affected software includes Lenovo Nextscale N1200 Enclosure Firmware, Lenovo Thinkagile Hx Enclosure Certified Node Firmware, Lenovo Thinkagile Vx Enclosure Firmware, and Lenovo Thinksystem D2 Enclosure Firmware.
How severe is CVE-2021-3849?
CVE-2021-3849 has a severity rating of 9.8 (Critical).
How can an attacker exploit CVE-2021-3849?
An attacker can exploit CVE-2021-3849 by bypassing authentication in the web interface and executing commands on the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM).
Where can I find more information about CVE-2021-3849?
You can find more information about CVE-2021-3849 on the Lenovo Product Security website.
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/remedy
- agent/last-modified-date
- agent/tags
- agent/description
- agent/first-publish-date
- agent/event
- vendor/lenovo
- canonical/lenovo nextscale n1200 enclosure firmware
- canonical/lenovo nextscale n1200 enclosure
- canonical/lenovo thinkagile hx enclosure certified node firmware
- canonical/lenovo thinkagile hx enclosure certified node
- canonical/lenovo thinkagile vx enclosure firmware
- canonical/lenovo thinkagile vx enclosure
- canonical/lenovo thinksystem d2 enclosure firmware
- canonical/lenovo thinksystem d2 enclosure
- vendor/ibm
- canonical/ibm nextscale fan power controller firmware
- canonical/ibm nextscale fan power controller