CVE-2021-3723: Unpatched command injection vulnerability affects IBM system x3550 M3 and IBM System x 3650 M3

Cybersecurity experts report that two legacy IBM System x server models recalled in 2019 are exposed to multiple attack variants due to the presence of a severe vulnerability. While this flaw will not receive security updates, manufacturers have already offered an alternative solution to mitigate the risk of attack. The vulnerability was tracked as CVE-2021-3723 and the report is attributed to researcher Denver Abrey.

According to the report, the vulnerable models are IBM System x 3550 M3 and IBM System x 3650 M3, which are affected by command injection attacks. Successful exploitation of the flaws would allow threat actors to execute commands on the operating system of any vulnerable server through the Integrated Management Module (IMM) application, in charge of systems management.

Both System x 3550 M3 and System x 3650 M3 were released in April 2011 as solutions for small and medium-sized businesses. In June 2015, Lenovo announced that both systems were discontinued, but would receive security updates for an additional five years.

This year, a security alert from Lenovo noted that exploiting this flaw would allow code execution in IMM firmware, plus it would lead to command execution through an authenticated SSH or Telnet session.

As some users may recall, Secure Shell (SSH) is an encrypted communication protocol that allows communication between two systems. On the other hand, Telnet is a network protocol that allows users to log on to other computers on the same network, although communications on this protocol are not encrypted by default.

 This is not the first report of this nature. In mid-2020, eight flaws were reported in IMM2, the improved version of IMM; these reports were related to client-side code errors in charge of the implementation of the SSH2 protocol. Lenovo stopped providing security and software support for System x 3550 and 3650 in December 2019.

The report includes a series of security recommendations that users of affected implementations must implement to avoid the risk of exploitation:

  • Disable SSH and Telnet
  • Change the default administrator password during initial setup
  • Enable a strong password policy
  • Grant access only to trusted administrators

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.