AMI MegaRAC Vulnerability

AMI MegaRAC Vulnerability

AMI MegaRAC Vulnerability

Lenovo Security Advisory: LEN-121190

Potential Impact: Code Execution

Severity: Medium

Scope of Impact: Industry-wide

CVE Identifier: CVE-2023-28863

 

Summary Description:

AMI reported a potential security vulnerability in AMI MegaRAC SP-X Baseboard Management Controllers that causes a failure to enforce integrity and confidentiality with IPMIv2. 

 

Mitigation Strategy for Customers (what you should do to protect yourself):

AMI recommends customers upgrade to the BMC firmware version (or newer) indicated for your model in the Product Impact section below.

AMI also recommends that customers continue to maintain strict access controls to BMC devices.

Note: Hyperscale customers: Please contact your Lenovo service representative for update information.

 

 

Product Impact:

To download the version specified for your product below, follow these steps:

Navigate to the Drivers & Software support site for your product:

  1. Search for your product by name or machine type.
  2. Click Drivers & Software on the left menu panel.
  3. Click on Manual Update to browse by Component type.
  4. Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.

Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:

PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759

Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center

 

Click below links to view affected products:

Hyperscale

ThinkSystem

 

References:

https://9443417.fs1.hubspotusercontent-na1.net/hubfs/9443417/Security%20Advisories/AMI-SA-2023003.pdf

 

Revision History:

Revision Date Description
1 2024-04-09 Initial release

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.

 

Product Impact:

Hyperscale

Product Component Minimum Fixed Version
HR610X (Hyperscale) Baseboard Management Controller (BMC) - ThinkSystem HR610X R15_40_0608
HR630X (HyperScale) Baseboard Management Controller (BMC) - ThinkSystem HR630X/HR650X R11_53_0608
HR630X V2 (Hyperscale) Baseboard Management Controller (BMC) - ThinkSystem HR630X_V2 1.52
HR650X (Hyperscale) Baseboard Management Controller (BMC) - ThinkSystem HR630X/HR650X R11_53_0608

 

ThinkSystem

Product Component Minimum Fixed Version
HG680X (ThinkSystem) Baseboard Management Controller (BMC) - ThinkSystem HG680X SE550V2 V5.49.00 & DN8848V2 V6.40.00
SR635 (ThinkSystem) Lenovo ThinkSystem SR635/655 Baseboard Management Controller (BMC) V6.67
SR655 (ThinkSystem) Lenovo ThinkSystem SR635/655 Baseboard Management Controller (BMC) V6.67

Alias Id:LEN-121190
Document ID:PS500612
Original Publish Date:04/09/2024
Last Modified Date:04/09/2024