Please note: This website includes an accessibility system. Press Control-F11 to adjust the website to the visually impaired who are using a screen reader; Press Control-F10 to open an accessibility menu.

AMI MegaRAC SP-X BMC Vulnerabilities

AMI MegaRAC SP-X BMC Vulnerabilities

AMI MegaRAC SP-X BMC Vulnerabilities

Lenovo Security Advisory: LEN-98711

Potential Impact: Arbitrary Code Execution, Unauthorized Access

Severity: High

Scope of Impact: Industry-wide

CVE Identifier: CVE-2022-40259, CVE-2022-40242, CVE-2022-2827

 

Summary Description:

AMI reported potential security vulnerabilities in some AMI MegaRAC SP-X Baseboard Management Controller that may allow user enumeration, unauthorized access or arbitrary code execution.

AMI has released AMI MegaRAC SP-X Baseboard Management Controller (BMC) security enhancements to address these vulnerabilities.

 

Mitigation Strategy for Customers (what you should do to protect yourself):

AMI recommends customers upgrade to the BMC firmware version (or newer) indicated for your model in the Product Impact section below.

AMI also recommends  that customers continue to maintain strict access controls to BMC devices.

Note: Hyperscale customers: Please contact your Lenovo service representative for update information.

 

Product Impact:

To download the version specified for your product below, follow these steps:

Navigate to the Drivers & Software support site for your product:

  1. Search for your product by name or machine type.
  2. Click Drivers & Software on the left menu panel.
  3. Click on Manual Update to browse by Component type.
  4. Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.

Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:

PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759

Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center

 

Click below links to view affected products:

Converged HX

Hyperscale

Storage

ThinkServer

ThinkSystem

 

Revision History:

Revision Date Description
4 2023-01-18 Updated Product Impact
3 2023-01-06 Updated Product Impact
2 2022-12-8 Updated Product Impact 
1 2022-12-07 Initial release

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.

 

Product Impact:

Converged HX

Product Component Minimum Fixed Version
Converged HX2710-E Appliance Baseboard Management Controller (BMC) Firmware Update - Lenovo Converged HX3710/HX3710-F/HX2710-E v2.88.56
Converged HX3710 Appliance Baseboard Management Controller (BMC) Firmware Update - Lenovo Converged HX3710/HX3710-F/HX2710-E v2.88.56
Converged HX3710-F Appliance Baseboard Management Controller (BMC) Firmware Update - Lenovo Converged HX3710/HX3710-F/HX2710-E v2.88.56

 

Hyperscale

Product Component Minimum Fixed Version
HR610X (Hyperscale) Baseboard Management Controller (BMC) - ThinkSystem HR610X V15_37
HR630X (HyperScale) Baseboard Management Controller (BMC) - ThinkSystem HR630X/HR650X R11_51_0104
HR650X (Hyperscale) Baseboard Management Controller (BMC) - ThinkSystem HR630X/HR650X R11_51_0104
Rack Server - RD350G (Hyperscale) Baseboard Management Controller (BMC) - ThinkSystem RD350G v922-53851

 

Storage

Product Component Minimum Fixed Version
N3310 Storage Baseboard Management Controller (BMC) - Storage N3310 v5.38.434
N4610 Storage Baseboard Management Controller (BMC) - Storage N4610 v5.38.434

 

ThinkServer

Product Component Minimum Fixed Version
Lenovo Converged Series - Lenovo Converged HX2710-E Baseboard Management Controller (BMC) Firmware Update - Lenovo Converged HX3710/HX3710-F/HX2710-E, ThinkServer SD350 v4.16
Lenovo Converged Series - Lenovo Converged HX3710 Baseboard Management Controller (BMC) Firmware Update - Lenovo Converged HX3710/HX3710-F/HX2710-E, ThinkServer SD350 v4.16
Lenovo Converged Series - Lenovo Converged HX3710-F Baseboard Management Controller (BMC) Firmware Update - Lenovo Converged HX3710/HX3710-F/HX2710-E, ThinkServer SD350 v4.16
Rack Server - RD350 (ThinkServer) Baseboard Management Controller (BMC) - ThinkServer RD350 v5.38.434
Rack Server - RD450 (ThinkServer) Baseboard Management Controller (BMC) - ThinkServer RD450 v5.38.434
Rack Server - RD550 (ThinkServer) Baseboard Management Controller (BMC) - ThinkServer RD550 v5.38.434
Rack Server - RD650 (ThinkServer) Baseboard Management Controller (BMC) - ThinkServer RD650 v5.38.434
Rack Server - RS160 (ThinkServer) BMC Update Utility for Linux (64-bit) - ThinkServer RS160, TS460 v3.18
Rack Server - RS160 (ThinkServer) BMC Update Utility for Web Browser - ThinkServer RS160, TS460 v3.18
Rack Server - RS160 (ThinkServer) BMC Update Utility for Windows Server 2012, 2012 R2, 2016 (64-bit) - ThinkServer RS160, TS460 v3.18
Rack Server - RS260 (ThinkServer) BMC Update Utility for Linux (64-bit) - ThinkServer RS160, TS460 v3.18
Rack Server - RS260 (ThinkServer) BMC Update Utility for Web Browser - ThinkServer RS160, TS460 v3.18
Rack Server - RS260 (ThinkServer) BMC Update Utility for Windows Server 2012, 2012 R2, 2016 (64-bit) - ThinkServer RS160, TS460 v3.18
Rack Server - RS260 (ThinkServer) Baseboard Management Controller (BMC) - ThinkServer RS260 v3.18
ThinkServer SD350 Baseboard Management Controller (BMC) Firmware Update - Lenovo Converged HX3710/HX3710-F/HX2710-E, ThinkServer SD350 v4.16
ThinkServer SD350 Baseboard Management Controller (BMC) Firmware Update - ThinkServer SD350 v4.16
Tower Server - TD350 (ThinkServer) Baseboard Management Controller (BMC) - ThinkServer TD350 v5.38.434
Tower Server - TS460 (ThinkServer) BMC Update Utility for Linux (64-bit) - ThinkServer RS160, TS460 v3.18
Tower Server - TS460 (ThinkServer) BMC Update Utility for Web Browser - ThinkServer RS160, TS460 v3.18
Tower Server - TS460 (ThinkServer) BMC Update Utility for Windows Server 2012, 2012 R2, 2016 (64-bit) - ThinkServer RS160, TS460 v3.18
Tower Server - TS560 (ThinkServer) BMC Update Utility for Linux (64-bit) - ThinkServer RS160, TS460 v3.18
Tower Server - TS560 (ThinkServer) BMC Update Utility for Web Browser - ThinkServer RS160, TS460 v3.18
Tower Server - TS560 (ThinkServer) BMC Update Utility for Windows Server 2012, 2012 R2, 2016 (64-bit) - ThinkServer RS160, TS460 v3.18
Tower Server - TS560 (ThinkServer) Baseboard Management Controller (BMC) - ThinkServer TS560 v3.18

 

ThinkSystem

Product Component Minimum Fixed Version
HG680X (ThinkSystem) Baseboard Management Controller (BMC) - ThinkSystem HG680X HG680X v5.63.00 or later
SR635 (ThinkSystem) Lenovo ThinkSystem SR635/655 Baseboard Management Controller (BMC) v5.84
SR655 (ThinkSystem) Lenovo ThinkSystem SR635/655 Baseboard Management Controller (BMC) v5.84

Alias Id:LEN-98711
Document ID:PS500535
Original Publish Date:12/07/2022
Last Modified Date:01/18/2023