Please note: This website includes an accessibility system. Press Control-F11 to adjust the website to the visually impaired who are using a screen reader; Press Control-F10 to open an accessibility menu.

System Management Module (SMM) v1 and v2 / Fan Power Controller (FPC) Vulnerabilities

System Management Module (SMM) v1 and v2 / Fan Power Controller (FPC) Vulnerabilities

System Management Module (SMM) v1 and v2 / Fan Power Controller (FPC) Vulnerabilities

Lenovo Security Advisory: LEN-127357

Potential Impact: Denial of-service, Privilege Escalation

Severity: High

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2023-2992, CVE-2023-2993

 

Summary Description:

The following vulnerabilities were discovered during an internal security review:

CVE-2023-2992: An unauthenticated  denial of service vulnerability exists in the SMM v1, SMM v2, and FPC management web server which can be triggered under crafted conditions.  Rebooting SMM or FPC will restore access to the management web server.

CVE-2023-2993: A valid, authenticated user with limited privileges may be able to use specifically crafted web management server API calls to execute a limited number of commands on SMM v1, SMM v2, and FPC that the user does not normally have sufficient privileges to execute. 

 

Mitigation Strategy for Customers (what you should do to protect yourself):

Restrict management web server access to trusted, authorized users.

Upgrade to the firmware version (or newer) indicated for your model in the Product Impact section below.

 

Product Impact:

To download the version specified for your product below, follow these steps:

Navigate to the Drivers & Software support site for your product:

  1. Search for your product by name or machine type.
  2. Click Drivers & Software on the left menu panel.
  3. Click on Manual Update to browse by Component type.
  4. Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.

Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:

PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759

Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center

 

Click below links to view affected products:

System x

ThinkAgile

ThinkSystem

 

Revision History:

Revision Date Description
2 2023-06-16 Updated ThinkAgile Product Links
1 2023-06-13 Initial release

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.

 

Product Impact:

System x

Product Component Minimum Fixed Version
Enclosure - n1200 Enclosure (NeXtScale) Lenovo Fan Power Controller2 (FPC2) (For AnyOS) FHET60B-3.40
Enclosure - n1200 water-cooled Enclosure (NeXtScale) Lenovo Fan Power Controller2 (FPC2) (For AnyOS) FHET60B-3.40

 

ThinkAgile

Product Component Minimum Fixed Version
CP-CB-10 (Lenovo) Lenovo System Management Module Firmware v1.24 [TESM34D] (For AnyOS) TESM38C-1.26
CP-CB-10E (Lenovo) Lenovo System Management Module Firmware v1.24 [TESM34D] (For AnyOS) TESM38C-1.26
HX Enclosure Certified Node (ThinkAgile) Lenovo System Management Module Firmware v1.24 [TESM34D] (For AnyOS) TESM38C-1.26
VX Enclosure (ThinkAgile) Lenovo System Management Module Firmware v1.24 [TESM34D] (For AnyOS) TESM38C-1.26

 

ThinkSystem

Product Component Minimum Fixed Version
D2 Enclosure (ThinkSystem) Lenovo System Management Module Firmware v1.24 [TESM34D] (For AnyOS) TESM38C-1.26
DA240 Enclosure (ThinkSystem) Lenovo System Management Module 2 Firmware v1.05 [UMSM10P] (For AnyOS) UMSM10S-1.07
DW612 Enclosure (ThinkSystem) Lenovo System Management Module 2 Firmware v1.05 [UMSM10P] (For AnyOS) UMSM10S-1.07

Alias Id:LEN-127357
Document ID:PS500565
Original Publish Date:06/13/2023
Last Modified Date:06/16/2023