CVE-2018-9085
moderate-risk
Published 2018-11-16
A write protection lock bit was left unset after boot on an older generation of Lenovo and IBM System x servers, potentially allowing an attacker with administrator access to modify the subset of flash memory containing Intel Server Platform Services (SPS) and the system Flash Descriptors.
Do I need to act?
-
0.14% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
4
CVSS 4.9/10
Medium
NETWORK
/ LOW complexity
Affected Products (20)
Flex System X240 M4 Firmware
Flex System X440 M4 Firmware
System X3750 M4 Firmware
Bladecenter Hs23 Firmware
Bladecenter Hs23E Firmware
Flex System X220 M4 Firmware
Flex System X222 M4 Firmware
Flex System X240 M4 Firmware
Flex System X280 X6 Firmware
Flex System X440 M4 Firmware
Flex System X480 X6 Firmware
Flex System X880 X6 Firmware
Idataplex Dx360 M4 Firmware
Idataplex Dx360 M4 Water Cooled Firmware
System X3100 M4 Firmware
System X3100 M5 Firmware
System X3250 M4 Firmware
System X3250 M5 Firmware
System X3300 M4 Firmware
System X3500 M4 Firmware
References (2)
Vendor Advisory
https://support.lenovo.com/us/en/solutions/LEN-24477
Vendor Advisory
https://support.lenovo.com/us/en/solutions/LEN-24477
43
/ 100
moderate-risk
Severity
20/34 · Moderate
Exploitability
1/34 · Minimal
Exposure
22/34 · High