No Patch for High-Severity Bug in Legacy IBM System X Servers

Two of IBM’s aging flagship server models, retired in 2020, won’t be patched for a command-injection flaw.

Two legacy IBM System x server models, retired in 2019, are open to attack and will not receive security patches, according to hardware maker Lenovo. However, the company is offering workaround mitigation.

The two models, IBM System x 3550 M3 and IBM System x 3650 M3, are both vulnerable to command injection attacks. The bug allows an adversary to execute arbitrary commands on either server model’s operating system via a vulnerable application called Integrated Management Module (IMM).

IMM is used for systems-management functions. On the back panel of System x models, serial and Ethernet connectors use the IMM for device management. The flaw, according to a Lenovo advisory posted Tuesday, is in the IMM firmware code and “could allow the execution of operating system commands over an authenticated SSH or Telnet session.”

Infosec Insiders Newsletter

SSH or Secure Shell is a cryptographic network communication protocol allowing two computers to communicate or share data. Telnet is another network protocol that allows remote users to log into another computer on the same network. Telnet, by default, does not encrypt data sent over its connection.

The bug, tracked as CVE-2021-3723, was disclosed on Wednesday and bug hunter Denver Abrey is credited for finding it.

Eight vulnerabilities in a later version of IMM – called IMM2 – were identified in June 2020, three high-severity. These bugs were tied to flaws in client-side code responsible for implementing the SSH2 protocol, called libssh2.

Both the System x 3550 M3 and System x 3650 M3 were introduced April 5, 2011 (PDF) as midsized businesses solutions. On June 30, 2015, Lenovo announced systems were both discontinued, but would receive security updates for five additional years.

According to the Lenovo security bulletin, software and security support for System x 3550 and 3650 ended December 31, 2019.

“Lenovo has historically provided service and support for at least five years following a product’s withdrawal from marketing. This is subject to change at Lenovo’s sole discretion without notice. Lenovo will announce a product’s EOS date at least 90 days before the actual EOS date and in most cases longer,” wrote Lenovo.

On Wednesday Lenovo said it “recommends discontinuation of use” of both servers, but offered a “mitigation strategy”.

“If it is not feasible to discontinue use of these systems,” Lenovo recommended:

  • Disable SSH and Telnet (This can be done in the Security and Network Protocol sections of the navigation pane after logging into the IMM web interface)
  • Change the default Administrator password during initial configuration
  • Enforce strong passwords
  • Only grant access to trusted administrators

Lenovo did not indicate if it was aware of any active campaigns targeting the vulnerability.

It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.

Suggested articles