Lenovo warns of a serious security vulnerability in older IBM System x 3550 M3 and 3650 M3 blade servers. An attacker can execute arbitrary commands via a weak point in the firmware of the Integrated Management Module (IMM) and thus potentially hijack the server. There will be no updates and Lenovo recommends that the servers be phased out.
The vulnerable server types were first sold in 2011 and were deprecated in 2015. They received security updates until the end of 2019, but are no longer supplied with patches. Lenovo has no intention of changing that for this loophole either.
The vulnerability in the IMM firmware is listed under CVE-2021-3723 and can be exploited via an SSH or Telnet connection. The vulnerability was discovered by the independent security researcher Denver Abrey found who has apparently not yet released details on how exactly an attack would take place. So far, nothing is known about whether the vulnerability is already being used for attacks.
Corresponding servers that are still in operation should definitely be deactivated as soon as possible, following Lenovo’s recommendation. The fact that the vulnerability will not be patched now makes these servers a popular target for attackers looking for a way into the network where such servers are located. Admins who cannot pull the vulnerable server directly from the traffic, Lenovo recommends to prevent SSH and Telnet connections to the servers via the IMM web interface. In addition, admins should exchange the factory-set password for a secure password of their own and only allow trustworthy persons access to these servers.