
Two legacy IBM System x server models, are open to attack tracked as CVE-2021-3723 and will not receive security patches, but a workaround is available for mitigation.
The two models, IBM System x 3550 M3 and IBM System x 3650 M3, are both vulnerable to command injection attacks. The bug allows to execute arbitrary commands on either server model’s operating system via a vulnerable application called Integrated Management Module (IMM).
IMM is used for systems-management functions. On the back panel of System x models, serial and Ethernet connectors use the IMM for device management could allow the execution of operating system commands over an authenticated SSH or Telnet session.
Eight vulnerabilities in a later version of IMM called IMM2 were identified in June 2020, three high-severity. These bugs were tied to flaws in client-side code responsible for implementing the SSH2 protocol, called libssh2.
According to the Lenovo security bulletin, software and security support for System x 3550 and 3650 ended December 31, 2019.
Mitigation ways
- Disable SSH and Telnet
- Change the default Administrator password during initial configuration
- Enforce strong passwords
- Only grant access to trusted administrators