CVE-2022-22309 - OpenCVE

The POWER systems FSP is vulnerable to unauthenticated logins through the serial port/TTY interface. This vulnerability can be more critical if the serial port is connected to a serial-over-lan device. IBM X-Force ID: 217095.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:L/AC:L/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ibm	Power System S922 Power System S922 Firmware

Configuration 1 [-]

AND

OR	cpe:2.3:o:ibm:power_system_s922_firmware::::::::
	cpe:2.3:o:ibm:power_system_s922_firmware::::::::
	cpe:2.3:o:ibm:power_system_s922_firmware::::::::

cpe:2.3:h:ibm:power_system_s922:-:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://exchange.xforce.ibmcloud.com/vulnerabilities/217095
https://www.ibm.com/support/pages/node/6589099

History

No history.

MITRE

Status: PUBLISHED

Assigner: ibm

Published: 2022-05-24T16:20:18.499237Z

Updated: 2024-09-16T16:52:49.070Z

Reserved: 2022-01-03T00:00:00

Link: CVE-2022-22309

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2022-05-24T17:15:08.277

Modified: 2022-06-21T19:55:59.257

Link: CVE-2022-22309

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "Power System S922 Server", "vendor": "IBM", "versions": [{"status": "affected", "version": "FW940"}, {"status": "affected", "version": "FW950"}]}], "datePublic": "2022-05-23T00:00:00", "descriptions": [{"lang": "en", "value": "The POWER systems FSP is vulnerable to unauthenticated logins through the serial port/TTY interface. This vulnerability can be more critical if the serial port is connected to a serial-over-lan device. IBM X-Force ID: 217095."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "exploitCodeMaturity": "UNPROVEN", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "remediationLevel": "OFFICIAL_FIX", "reportConfidence": "CONFIRMED", "scope": "UNCHANGED", "temporalScore": 5.9, "temporalSeverity": "MEDIUM", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/UI:N/A:H/C:H/S:U/AC:L/I:H/PR:N/RC:C/E:U/RL:O", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Gain Privileges", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-05-24T16:20:18", "orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "shortName": "ibm"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.ibm.com/support/pages/node/6589099"}, {"name": "ibm-power-cve202222309-code-exec (217095)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/217095"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@us.ibm.com", "DATE_PUBLIC": "2022-05-23T00:00:00", "ID": "CVE-2022-22309", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Power System S922 Server", "version": {"version_data": [{"version_value": "FW940"}, {"version_value": "FW950"}]}}]}, "vendor_name": "IBM"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The POWER systems FSP is vulnerable to unauthenticated logins through the serial port/TTY interface. This vulnerability can be more critical if the serial port is connected to a serial-over-lan device. IBM X-Force ID: 217095."}]}, "impact": {"cvssv3": {"BM": {"A": "H", "AC": "L", "AV": "P", "C": "H", "I": "H", "PR": "N", "S": "U", "UI": "N"}, "TM": {"E": "U", "RC": "C", "RL": "O"}}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Gain Privileges"}]}]}, "references": {"reference_data": [{"name": "https://www.ibm.com/support/pages/node/6589099", "refsource": "CONFIRM", "title": "IBM Security Bulletin 6589099 (Power System S922 Server)", "url": "https://www.ibm.com/support/pages/node/6589099"}, {"name": "ibm-power-cve202222309-code-exec (217095)", "refsource": "XF", "title": "X-Force Vulnerability Report", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/217095"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T03:07:50.311Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.ibm.com/support/pages/node/6589099"}, {"name": "ibm-power-cve202222309-code-exec (217095)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/217095"}]}]}, "cveMetadata": {"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522", "assignerShortName": "ibm", "cveId": "CVE-2022-22309", "datePublished": "2022-05-24T16:20:18.499237Z", "dateReserved": "2022-01-03T00:00:00", "dateUpdated": "2024-09-16T16:52:49.070Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ibm:power_system_s922_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "AFB62F0F-9BEB-4498-AA81-3454F7D82373", "versionEndExcluding": "860.b0", "versionStartIncluding": "860", "vulnerable": true}, {"criteria": "cpe:2.3:o:ibm:power_system_s922_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "613CAFC8-36DE-447A-A5D7-10FA68289EE6", "versionEndExcluding": "940.60", "versionStartIncluding": "940", "vulnerable": true}, {"criteria": "cpe:2.3:o:ibm:power_system_s922_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "0036F29D-3962-45F1-AF05-3E8B6C6199F5", "versionEndExcluding": "950.40", "versionStartIncluding": "950", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ibm:power_system_s922:-:*:*:*:*:*:*:*", "matchCriteriaId": "EA5B852F-8016-4996-BC56-6B52E3880298", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The POWER systems FSP is vulnerable to unauthenticated logins through the serial port/TTY interface. This vulnerability can be more critical if the serial port is connected to a serial-over-lan device. IBM X-Force ID: 217095."}, {"lang": "es", "value": "El FSP de los sistemas POWER es vulnerable a los inicios de sesi\u00f3n no autenticados mediante el puerto serie/interfaz TTY. Esta vulnerabilidad puede ser m\u00e1s cr\u00edtica si el puerto serie est\u00e1 conectado a un dispositivo serial-over-lan. IBM X-Force ID: 217095"}], "id": "CVE-2022-22309", "lastModified": "2022-06-21T19:55:59.257", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "psirt@us.ibm.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-24T17:15:08.277", "references": [{"source": "psirt@us.ibm.com", "tags": ["VDB Entry", "Vendor Advisory"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/217095"}, {"source": "psirt@us.ibm.com", "tags": ["Vendor Advisory"], "url": "https://www.ibm.com/support/pages/node/6589099"}], "sourceIdentifier": "psirt@us.ibm.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "nvd@nist.gov", "type": "Primary"}]}