NVD Vulnerability Detail

CVE-2017-3774

Summary	A stack overflow vulnerability was discovered within the web administration service in Integrated Management Module 2 (IMM2) earlier than version 4.70 used in some Lenovo servers and earlier than version 6.60 used in some IBM servers. An attacker providing a crafted user ID and password combination can cause a portion of the authentication routine to overflow its stack, resulting in stack corruption.
Publication Date	April 19, 2018, 11:29 p.m.
Registration Date	Jan. 26, 2021, 1:23 p.m.
Last Update	Nov. 21, 2024, 12:26 p.m.

CVSS3.0 : CRITICAL
スコア	9.8
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	高
完全性への影響(I)	高
可用性への影響(A)	高

CVSS2.0 : HIGH
Score	7.5
Vector	AV:N/AC:L/Au:N/C:P/I:P/A:P
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	低
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:lenovo:integrated_management_module_2::::::::					4.70
execution environment
1	cpe:2.3:h:lenovo:flex_system_x240_m4:-:::::::*
2	cpe:2.3:h:lenovo:flex_system_x240_m5:-:::::::*
3	cpe:2.3:h:lenovo:flex_system_x280_x6:-:::::::*
4	cpe:2.3:h:lenovo:flex_system_x440_m4:-:::::::*
5	cpe:2.3:h:lenovo:flex_system_x480_x6:-:::::::*
6	cpe:2.3:h:lenovo:flex_system_x880:-:::::::*
7	cpe:2.3:h:lenovo:nextscale_nx360_m5:-:::::::*
8	cpe:2.3:h:lenovo:system_x3250_m6:-:::::::*
9	cpe:2.3:h:lenovo:system_x3500_m5:-:::::::*
10	cpe:2.3:h:lenovo:system_x3550_m5:-:::::::*
11	cpe:2.3:h:lenovo:system_x3650_m5:-:::::::*
12	cpe:2.3:h:lenovo:system_x3750_m4:-:::::::*
13	cpe:2.3:h:lenovo:system_x3850_x6:-:::::::*
14	cpe:2.3:h:lenovo:system_x3950_x6:-:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:lenovo:integrated_management_module_2::::::::					6.60
execution environment
1	cpe:2.3:h:ibm:bladecenter_hs22:-:::::::*
2	cpe:2.3:h:ibm:bladecenter_hs23:-:::::::*
3	cpe:2.3:h:ibm:bladecenter_hs23e:-:::::::*
4	cpe:2.3:h:ibm:flex_system_x220_m4:-:::::::*
5	cpe:2.3:h:ibm:flex_system_x222_m4:-:::::::*
6	cpe:2.3:h:ibm:flex_system_x240_m4:-:::::::*
7	cpe:2.3:h:ibm:flex_system_x280_m4:-:::::::*
8	cpe:2.3:h:ibm:flex_system_x440_m4:-:::::::*
9	cpe:2.3:h:ibm:flex_system_x480_m4:-:::::::*
10	cpe:2.3:h:ibm:flex_system_x880_m4:-:::::::*
11	cpe:2.3:h:ibm:idataplex_dx360_m4:-:::::::*
12	cpe:2.3:h:ibm:idataplex_dx360_m4_water_cooled:-:::::::*
13	cpe:2.3:h:ibm:nextscale_nx360_m4:-:::::::*
14	cpe:2.3:h:ibm:system_x3100_m4:-:::::::*
15	cpe:2.3:h:ibm:system_x3100_m5:-:::::::*
16	cpe:2.3:h:ibm:system_x3250_m4:-:::::::*
17	cpe:2.3:h:ibm:system_x3250_m5:-:::::::*
18	cpe:2.3:h:ibm:system_x3300_m4:-:::::::*
19	cpe:2.3:h:ibm:system_x3500_m4:-:::::::*
20	cpe:2.3:h:ibm:system_x3530_m4:-:::::::*
21	cpe:2.3:h:ibm:system_x3550_m4:-:::::::*
22	cpe:2.3:h:ibm:system_x3630_m4:-:::::::*
23	cpe:2.3:h:ibm:system_x3650_m4:-:::::::*
24	cpe:2.3:h:ibm:system_x3650_m4_bd:-:::::::*
25	cpe:2.3:h:ibm:system_x3650_m4_hd:-:::::::*
26	cpe:2.3:h:ibm:system_x3750_m4:-:::::::*
27	cpe:2.3:h:ibm:system_x3850_x6:-:::::::*
28	cpe:2.3:h:ibm:system_x3950_x6:-:::::::*

Related information, measures and tools

No	URL	refsource	タグ
1	https://support.lenovo.com/us/en/product_security/LEN-19586		Vendor Advisory
2	https://support.lenovo.com/us/en/product_security/LEN-19586		Vendor Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-119	バッファエラー	https://cwe.mitre.org/data/definitions/118.html

JVN Vulnerability Information

Integrated Management Module 2 におけるバッファエラーの脆弱性

Title	Integrated Management Module 2 におけるバッファエラーの脆弱性
Summary	Integrated Management Module 2 (IMM2) には、バッファエラーの脆弱性が存在します。
Possible impacts	情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 12, 2018, midnight
Registration Date	June 20, 2018, 3:02 p.m.
Last Update	June 20, 2018, 3:02 p.m.

Affected System

Lenovo

統合管理モジュール 2 4.70 未満

統合管理モジュール 2 6.60 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2017-3774	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3774
National Vulnerability Database (NVD)
2	CVE-2017-3774	https://nvd.nist.gov/vuln/detail/CVE-2017-3774

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-119	https://jvndb.jvn.jp/ja/cwe/CWE-119.html

ベンダー情報

No	Name	URL
レノボセキュリティアドバイザリ
1	LEN-19586	https://support.lenovo.com/jp/ja/product_security/len-19586

Change Log

No	Changed Details	Date of change
1	[2018年06月20日] 掲載	June 20, 2018, 3:02 p.m.

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:lenovo:integrated_management_module_2::::::::					4.70
execution environment
1	cpe:2.3:h:lenovo:flex_system_x240_m4:-:::::::*
2	cpe:2.3:h:lenovo:flex_system_x240_m5:-:::::::*
3	cpe:2.3:h:lenovo:flex_system_x280_x6:-:::::::*
4	cpe:2.3:h:lenovo:flex_system_x440_m4:-:::::::*
5	cpe:2.3:h:lenovo:flex_system_x480_x6:-:::::::*
6	cpe:2.3:h:lenovo:flex_system_x880:-:::::::*
7	cpe:2.3:h:lenovo:nextscale_nx360_m5:-:::::::*
8	cpe:2.3:h:lenovo:system_x3250_m6:-:::::::*
9	cpe:2.3:h:lenovo:system_x3500_m5:-:::::::*
10	cpe:2.3:h:lenovo:system_x3550_m5:-:::::::*
11	cpe:2.3:h:lenovo:system_x3650_m5:-:::::::*
12	cpe:2.3:h:lenovo:system_x3750_m4:-:::::::*
13	cpe:2.3:h:lenovo:system_x3850_x6:-:::::::*
14	cpe:2.3:h:lenovo:system_x3950_x6:-:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:a:lenovo:integrated_management_module_2::::::::					6.60
execution environment
1	cpe:2.3:h:ibm:bladecenter_hs22:-:::::::*
2	cpe:2.3:h:ibm:bladecenter_hs23:-:::::::*
3	cpe:2.3:h:ibm:bladecenter_hs23e:-:::::::*
4	cpe:2.3:h:ibm:flex_system_x220_m4:-:::::::*
5	cpe:2.3:h:ibm:flex_system_x222_m4:-:::::::*
6	cpe:2.3:h:ibm:flex_system_x240_m4:-:::::::*
7	cpe:2.3:h:ibm:flex_system_x280_m4:-:::::::*
8	cpe:2.3:h:ibm:flex_system_x440_m4:-:::::::*
9	cpe:2.3:h:ibm:flex_system_x480_m4:-:::::::*
10	cpe:2.3:h:ibm:flex_system_x880_m4:-:::::::*
11	cpe:2.3:h:ibm:idataplex_dx360_m4:-:::::::*
12	cpe:2.3:h:ibm:idataplex_dx360_m4_water_cooled:-:::::::*
13	cpe:2.3:h:ibm:nextscale_nx360_m4:-:::::::*
14	cpe:2.3:h:ibm:system_x3100_m4:-:::::::*
15	cpe:2.3:h:ibm:system_x3100_m5:-:::::::*
16	cpe:2.3:h:ibm:system_x3250_m4:-:::::::*
17	cpe:2.3:h:ibm:system_x3250_m5:-:::::::*
18	cpe:2.3:h:ibm:system_x3300_m4:-:::::::*
19	cpe:2.3:h:ibm:system_x3500_m4:-:::::::*
20	cpe:2.3:h:ibm:system_x3530_m4:-:::::::*
21	cpe:2.3:h:ibm:system_x3550_m4:-:::::::*
22	cpe:2.3:h:ibm:system_x3630_m4:-:::::::*
23	cpe:2.3:h:ibm:system_x3650_m4:-:::::::*
24	cpe:2.3:h:ibm:system_x3650_m4_bd:-:::::::*
25	cpe:2.3:h:ibm:system_x3650_m4_hd:-:::::::*
26	cpe:2.3:h:ibm:system_x3750_m4:-:::::::*
27	cpe:2.3:h:ibm:system_x3850_x6:-:::::::*
28	cpe:2.3:h:ibm:system_x3950_x6:-:::::::*