CVE-2023-2992 — Asymmetric Resource Consumption (Amplification) in Lenovo System Management Module

CWE-405 — Asymmetric Resource Consumption (Amplification)CWE-400 — Uncontrolled Resource Consumption3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.3%

top 49.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lenovo Nextscale N1200 Enclosure Firmware Lenovo Thinkagile Cp-cb-10 Firmware Lenovo Thinkagile Cp-cb-10e Firmware +7 more

Timeline

PublishedJun 26

Description

An unauthenticated denial of service vulnerability exists in the SMM v1, SMM v2, and FPC management web server which can be triggered under crafted conditions. Rebooting SMM or FPC will restore access to the management web server.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages10 packages

▶CVEListV5lenovo/system_management_modulevarious

▶NVDlenovo/thinkagile_cp-cb-10_firmware< tesm38c-1.26

▶NVDlenovo/thinkagile_cp-cb-10e_firmware< tesm38c-1.26

▶NVDlenovo/thinkagile_vx_enclosure_firmware< tesm38c-1.26

▶NVDlenovo/thinksystem_d2_enclosure_firmware< tesm38c-1.26

🔴Vulnerability Details

GHSA

GHSA-gqhx-wxjr-rphx: An unauthenticated denial of service vulnerability exists in the SMM v1, SMM v2, and FPC management web server which can be triggered under crafted co↗2023-06-26

▶

CVEList

CVE-2023-2992: An unauthenticated denial of service vulnerability exists in the SMM v1, SMM v2, and FPC management web server which can be triggered under crafted co↗2023-06-26

▶