Vulnerability Note VU#194604
IBM Power 5 Service Processor privilege escalation vulnerability
Overview
IBM Power 5 Service Processor contain a vulnerability which could allow an attacker to operate with elevated privileges.
Description
IBM's security advisory states, "A security issue has been identified on IBM Power 5 Systems such that the firewall code does not get executed in certain network configurations leading to elevated privilege. The issue only exists on Service Processor for IBM Power 5 Systems listed below and has not been found to exist in any other IBM System." |
Impact
An attacker with access to the IBM Power 5 Service Processor could escalate their privileges allowing them to to perform administrative functions on the system. |
Solution
Update
|
IBM's security advisory states the following workaround, "Configure (any) Static IP addresses on at least one Ethernet interface of the IBM Service processor." |
Vendor Information (Learn More)
IBM's security advisory states the following affected products and versions are affected by this vulnerability: |
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| IBM Corporation | Affected | 10 Oct 2012 | 04 Dec 2012 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | 7.9 | AV:A/AC:M/Au:N/C:C/I:C/A:C |
| Temporal | 6.2 | E:POC/RL:OF/RC:C |
| Environmental | 1.8 | CDP:LM/TD:L/CR:ND/IR:ND/AR:ND |
References
Credit
Thanks to Brian Smith for reporting this vulnerability.
This document was written by Michael Orlando.
Other Information
- CVE IDs: CVE-2012-4856
- Date Public: 19 Nov 2012
- Date First Published: 12 Dec 2012
- Date Last Updated: 02 Jan 2013
- Document Revision: 14
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.