Two legacy IBM System x server models, are open to attack tracked as CVE-2021-3723 and will not receive security patches, but a workaround is available for mitigation.

The two models, IBM System x 3550 M3 and IBM System x 3650 M3, are both vulnerable to command injection attacks. The bug allows to execute arbitrary commands on either server model’s operating system via a vulnerable application called Integrated Management Module (IMM).

IMM is used for systems-management functions. On the back panel of System x models, serial and Ethernet connectors use the IMM for device management could allow the execution of operating system commands over an authenticated SSH or Telnet session.

Eight vulnerabilities in a later version of IMM called IMM2 were identified in June 2020, three high-severity. These bugs were tied to flaws in client-side code responsible for implementing the SSH2 protocol, called libssh2.

According to the Lenovo security bulletin, software and security support for System x 3550 and 3650 ended December 31, 2019.

Mitigation ways

  • Disable SSH and Telnet
  • Change the default Administrator password during initial configuration
  • Enforce strong passwords
  • Only grant access to trusted administrators