CVE-2019-6157

CVSS 6.5 MEDIUMEPSS 1.3%

In short

Lenovo server firmware accidentally includes the web server's private encryption key in support log files. This allows anyone with access to these logs to impersonate the server and intercept secure communications.

Technical detail

The FFDC feature in Lenovo System x IMM2 firmware exposes the web server's private key within generated support logs. An attacker with access to these diagnostic files (via local access, backup disclosure, or support channels) can obtain the private key, enabling man-in-the-middle attacks and session hijacking against the management interface.

Summary generated and translated by AI from the official description.

In various firmware versions of Lenovo System x, the integrated management module II (IMM2)'s first failure data capture (FFDC) includes the web server's private key in the generated log file for support.

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

Affected products

Lenovo · System x

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://support.lenovo.com/solutions/LEN-25667