Authentication Bypass Vulnerabilities in FPC2 and SMM Firmware
Authentication Bypass Vulnerabilities in FPC2 and SMM Firmware
Authentication Bypass Vulnerabilities in FPC2 and SMM Firmware
Lenovo Security Advisory: LEN-72615
Potential Impact: Authentication bypass
Severity: High
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2021-3849, CVE-2021-3897
Summary Description:
The following vulnerabilities were discovered during an internal security review.
CVE-2021-3849: An authentication bypass vulnerability was discovered in the web interface of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected.
CVE-2021-3897: An authentication bypass vulnerability was discovered in an internal service of the Lenovo Fan Power Controller2 (FPC2) and Lenovo System Management Module (SMM) firmware during an that could allow an unauthenticated attacker to execute commands on the SMM and FPC2. SMM2 is not affected.
Mitigation Strategy for Customers (what you should do to protect yourself):
Upgrade to the firmware version (or newer) indicated for your model in the Product Impact section below.
To download the version specified for your product below, follow these steps:
Navigate to the Drivers & Software support site for your product:
- Lenovo Products (sold worldwide, except in China): https://support.lenovo.com/
- Lenovo Products (sold in China): https://newsupport.lenovo.com.cn/
- IBM-branded System x Legacy Products: https://www.ibm.com/support/fixcentral/
- Search for your product by name or machine type.
- Click Drivers & Software on the left menu panel.
- Click on Manual Update to browse by Component type.
- Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.
Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:
PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759
Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center
Click below links to view affected products:
References:
https://www.ibm.com/support/pages/fan-power-controller-fpc-firmware-update-v360-ibm-system-x
Revision History:
Revision | Date | Description |
---|---|---|
1 | 2021-12-14 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Product Impact:
Product | Component | Minimum Fixed Version |
Enclosure - n1200 Enclosure (NeXtScale) | Lenovo Fan Power Controller2 (FPC2) (For AnyOS) | FHET50B-2.90 |
Enclosure - n1200 water-cooled Enclosure (NeXtScale) | Lenovo Fan Power Controller2 (FPC2) (For AnyOS) | FHET50B-2.90 |
IBM NeXtScale Fan Power Controller (FPC) | IBM NeXtScale Fan Power Controller2 (FPC2) | 44A-3.70 |
Product | Component | Minimum Fixed Version |
HX Enclosure Certified Node (ThinkAgile) | Lenovo System Management Module Firmware v1.22 [TESM30D] (For AnyOS) | TESM28B-1.21 |
VX Enclosure (ThinkAgile) | Lenovo System Management Module Firmware v1.22 [TESM30D] (For AnyOS) | TESM28B-1.21 |
Product | Component | Minimum Fixed Version |
D2 Enclosure (ThinkSystem) | Lenovo System Management Module Firmware v1.22 [TESM30D] (For AnyOS) | TESM28B-1.21 |
Your feedback helps to improve the overall experience