Multiple vulnerabilities in IBM Flex System FC3171 8Gb SAN Switch & SAN Pass-thru
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2018-0739 CVE-2018-10811 |
| CWE-ID | CWE-400 CWE-119 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Flex System FC3171 8Gb SAN Pass-thru Hardware solutions / Other hardware appliances Flex System FC3171 8Gb SAN Switch Hardware solutions / Other hardware appliances |
| Vendor | IBM Corporation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Resource exhaustion
EUVDB-ID: #VU11294
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-0739
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to excessive stack memory consumption. A remote attacker can cause the service to crash.
Install update from vendor's website.
Vulnerable software versionsFlex System FC3171 8Gb SAN Pass-thru: before 9.1.15.01.00
Flex System FC3171 8Gb SAN Switch: before 9.1.15.01.00
CPE2.3- cpe:2.3:h:ibm_corporation:flex_system_fc3171_8gb_san_pass-thru:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:flex_system_fc3171_8gb_san_switch:*:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/887845
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory corruption
EUVDB-ID: #VU13125
Risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2018-10811
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists in the Internet Key Exchange Version 2 (IKEv2) key derivation of strongSwan due to insufficient initialization of the variable that stores the SKEYSEED for IKEv2 key derivation before using the negotiated pseudorandom function (PRF). A remote attacker can trigger a key derivation failure and cause the affected software to clear the uninitialized memory that may lead to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionsFlex System FC3171 8Gb SAN Pass-thru: before 9.1.15.01.00
Flex System FC3171 8Gb SAN Switch: before 9.1.15.01.00
CPE2.3- cpe:2.3:h:ibm_corporation:flex_system_fc3171_8gb_san_pass-thru:*:*:*:*:*:*:*:*
- cpe:2.3:h:ibm_corporation:flex_system_fc3171_8gb_san_switch:*:*:*:*:*:*:*:*
https://www.ibm.com/support/pages/node/887845
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
