AMI MegaRAC SP-X BMC Vulnerabilities
AMI MegaRAC SP-X BMC Vulnerabilities
AMI MegaRAC SP-X BMC Vulnerabilities
Lenovo Security Advisory: LEN-98711
Potential Impact: Arbitrary Code Execution, Unauthorized Access
Severity: High
Scope of Impact: Industry-wide
CVE Identifier: CVE-2022-40259, CVE-2022-40242, CVE-2022-2827
Summary Description:
AMI reported potential security vulnerabilities in some AMI MegaRAC SP-X Baseboard Management Controller that may allow user enumeration, unauthorized access or arbitrary code execution.
AMI has released AMI MegaRAC SP-X Baseboard Management Controller (BMC) security enhancements to address these vulnerabilities.
Mitigation Strategy for Customers (what you should do to protect yourself):
AMI recommends customers upgrade to the BMC firmware version (or newer) indicated for your model in the Product Impact section below.
AMI also recommends that customers continue to maintain strict access controls to BMC devices.
Note: Hyperscale customers: Please contact your Lenovo service representative for update information.
To download the version specified for your product below, follow these steps:
Navigate to the Drivers & Software support site for your product:
- Lenovo Products (sold worldwide, except in China): https://support.lenovo.com/
- Lenovo Products (sold in China): https://newsupport.lenovo.com.cn/
- IBM-branded System x Legacy Products: https://www.ibm.com/support/fixcentral/
- Search for your product by name or machine type.
- Click Drivers & Software on the left menu panel.
- Click on Manual Update to browse by Component type.
- Compare the minimum fix version for your product from the applicable product table below with the latest version posted on the support site.
Lenovo also offers tools to assist with update management as an alternative to the manual steps described above. Refer to the following for additional help:
PC Products and Software: https://support.lenovo.com/us/en/solutions/ht504759
Server and Enterprise Software: https://support.lenovo.com/us/en/solutions/lnvo-lxcaupd and https://datacentersupport.lenovo.com/us/en/documents/lnvo-center
Click below links to view affected products:
Revision History:
Revision | Date | Description |
---|---|---|
4 | 2023-01-18 | Updated Product Impact |
3 | 2023-01-06 | Updated Product Impact |
2 | 2022-12-8 | Updated Product Impact |
1 | 2022-12-07 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Product Impact:
Product | Component | Minimum Fixed Version |
Converged HX2710-E Appliance | Baseboard Management Controller (BMC) Firmware Update - Lenovo Converged HX3710/HX3710-F/HX2710-E | v2.88.56 |
Converged HX3710 Appliance | Baseboard Management Controller (BMC) Firmware Update - Lenovo Converged HX3710/HX3710-F/HX2710-E | v2.88.56 |
Converged HX3710-F Appliance | Baseboard Management Controller (BMC) Firmware Update - Lenovo Converged HX3710/HX3710-F/HX2710-E | v2.88.56 |
Product | Component | Minimum Fixed Version |
HR610X (Hyperscale) | Baseboard Management Controller (BMC) - ThinkSystem HR610X | V15_37 |
HR630X (HyperScale) | Baseboard Management Controller (BMC) - ThinkSystem HR630X/HR650X | R11_51_0104 |
HR650X (Hyperscale) | Baseboard Management Controller (BMC) - ThinkSystem HR630X/HR650X | R11_51_0104 |
Rack Server - RD350G (Hyperscale) | Baseboard Management Controller (BMC) - ThinkSystem RD350G | v922-53851 |
Product | Component | Minimum Fixed Version |
N3310 Storage | Baseboard Management Controller (BMC) - Storage N3310 | v5.38.434 |
N4610 Storage | Baseboard Management Controller (BMC) - Storage N4610 | v5.38.434 |
Product | Component | Minimum Fixed Version |
Lenovo Converged Series - Lenovo Converged HX2710-E | Baseboard Management Controller (BMC) Firmware Update - Lenovo Converged HX3710/HX3710-F/HX2710-E, ThinkServer SD350 | v4.16 |
Lenovo Converged Series - Lenovo Converged HX3710 | Baseboard Management Controller (BMC) Firmware Update - Lenovo Converged HX3710/HX3710-F/HX2710-E, ThinkServer SD350 | v4.16 |
Lenovo Converged Series - Lenovo Converged HX3710-F | Baseboard Management Controller (BMC) Firmware Update - Lenovo Converged HX3710/HX3710-F/HX2710-E, ThinkServer SD350 | v4.16 |
Rack Server - RD350 (ThinkServer) | Baseboard Management Controller (BMC) - ThinkServer RD350 | v5.38.434 |
Rack Server - RD450 (ThinkServer) | Baseboard Management Controller (BMC) - ThinkServer RD450 | v5.38.434 |
Rack Server - RD550 (ThinkServer) | Baseboard Management Controller (BMC) - ThinkServer RD550 | v5.38.434 |
Rack Server - RD650 (ThinkServer) | Baseboard Management Controller (BMC) - ThinkServer RD650 | v5.38.434 |
Rack Server - RS160 (ThinkServer) | BMC Update Utility for Linux (64-bit) - ThinkServer RS160, TS460 | v3.18 |
Rack Server - RS160 (ThinkServer) | BMC Update Utility for Web Browser - ThinkServer RS160, TS460 | v3.18 |
Rack Server - RS160 (ThinkServer) | BMC Update Utility for Windows Server 2012, 2012 R2, 2016 (64-bit) - ThinkServer RS160, TS460 | v3.18 |
Rack Server - RS260 (ThinkServer) | BMC Update Utility for Linux (64-bit) - ThinkServer RS160, TS460 | v3.18 |
Rack Server - RS260 (ThinkServer) | BMC Update Utility for Web Browser - ThinkServer RS160, TS460 | v3.18 |
Rack Server - RS260 (ThinkServer) | BMC Update Utility for Windows Server 2012, 2012 R2, 2016 (64-bit) - ThinkServer RS160, TS460 | v3.18 |
Rack Server - RS260 (ThinkServer) | Baseboard Management Controller (BMC) - ThinkServer RS260 | v3.18 |
ThinkServer SD350 | Baseboard Management Controller (BMC) Firmware Update - Lenovo Converged HX3710/HX3710-F/HX2710-E, ThinkServer SD350 | v4.16 |
ThinkServer SD350 | Baseboard Management Controller (BMC) Firmware Update - ThinkServer SD350 | v4.16 |
Tower Server - TD350 (ThinkServer) | Baseboard Management Controller (BMC) - ThinkServer TD350 | v5.38.434 |
Tower Server - TS460 (ThinkServer) | BMC Update Utility for Linux (64-bit) - ThinkServer RS160, TS460 | v3.18 |
Tower Server - TS460 (ThinkServer) | BMC Update Utility for Web Browser - ThinkServer RS160, TS460 | v3.18 |
Tower Server - TS460 (ThinkServer) | BMC Update Utility for Windows Server 2012, 2012 R2, 2016 (64-bit) - ThinkServer RS160, TS460 | v3.18 |
Tower Server - TS560 (ThinkServer) | BMC Update Utility for Linux (64-bit) - ThinkServer RS160, TS460 | v3.18 |
Tower Server - TS560 (ThinkServer) | BMC Update Utility for Web Browser - ThinkServer RS160, TS460 | v3.18 |
Tower Server - TS560 (ThinkServer) | BMC Update Utility for Windows Server 2012, 2012 R2, 2016 (64-bit) - ThinkServer RS160, TS460 | v3.18 |
Tower Server - TS560 (ThinkServer) | Baseboard Management Controller (BMC) - ThinkServer TS560 | v3.18 |
Product | Component | Minimum Fixed Version |
HG680X (ThinkSystem) | Baseboard Management Controller (BMC) - ThinkSystem HG680X | HG680X v5.63.00 or later |
SR635 (ThinkSystem) | Lenovo ThinkSystem SR635/655 Baseboard Management Controller (BMC) | v5.84 |
SR655 (ThinkSystem) | Lenovo ThinkSystem SR635/655 Baseboard Management Controller (BMC) | v5.84 |
Your feedback helps to improve the overall experience