CVE-2024-45656: A 9.8 Severity Threat to IBM Power Systems Security
A critical vulnerability has been discovered in IBM Power Systems servers, potentially allowing unauthorized access and complete control over affected systems. The flaw, identified as CVE-2024-45656, stems from the use of static credentials within the IBM Flexible Service Processor (FSP), a crucial component responsible for managing and monitoring server hardware and firmware. The vulnerability has been assigned a CVSS base score of 9.8, indicating its high severity and potential for significant impact.
The vulnerability could allow malicious actors with network access to exploit these static credentials and gain service privileges to the FSP. This could lead to a complete takeover of the server, enabling attackers to steal sensitive data, disrupt operations, or even install malware.
The vulnerability impacts a wide range of IBM Power Systems servers, including Power8, Power9, and Power10 systems running specific firmware versions. Notably, all prior firmware releases on the listed products are vulnerable, even those no longer officially supported.
| Affected Product(s) | Version(s) |
| Server Firmware | FW1060.00 – FW1060.10 |
| Server Firmware | FW1050.00 – FW1050.21 |
| Server Firmware | FW1030.00 – FW1030.61 |
| Server Firmware | FW950.00 – FW950.C0 |
| Server Firmware | FW860.00 – FW860.B3 |
IBM has issued a critical security bulletin urging users to update their FSP firmware immediately. Patches are available for download at IBM Fix Central. Organizations relying on IBM Power Systems are strongly advised to prioritize patching their systems to mitigate the risk of compromise.
