Login Sign Up

CVE-2018-18202

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This CVE reveals undocumented hardcoded accounts with known passwords in QLogic Fibre Channel modules for IBM BladeCenter. Attackers can use these credentials to gain unauthorized administrative access to affected systems. Organizations using IBM BladeCenter with QLogic 4Gb Fibre Channel or 4/8Gb SAN modules are affected.

💻 Affected Systems

Products:
  • IBM BladeCenter QLogic 4Gb Fibre Channel Module
  • IBM BladeCenter QLogic 4/8Gb SAN Module
Versions: QLogic 4Gb Fibre Channel 5.5.2.6.0 and 4/8Gb SAN 7.10.1.20.0
Operating Systems: Not OS-specific - firmware vulnerability
Default Config Vulnerable: ⚠️ Yes
Notes: All systems with these firmware versions are vulnerable by default. The undocumented accounts cannot be disabled without firmware update.

📦 What is this software?

Qlogic 20 Port 4\/8 Gb San Switch Module Firmware by Ibm

View all CVEs affecting Qlogic 20 Port 4\/8 Gb San Switch Module Firmware →

Qlogic 4 Gb Fibre Channel Expansion Card Firmware by Ibm

View all CVEs affecting Qlogic 4 Gb Fibre Channel Expansion Card Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of affected BladeCenter infrastructure, allowing attackers to reconfigure storage, intercept data, deploy malware, or disrupt operations.

🟠

Likely Case

Unauthorized administrative access to storage modules, enabling configuration changes, data access, and potential lateral movement to connected systems.

🟢

If Mitigated

Limited impact if network segmentation isolates storage modules and strong access controls prevent unauthorized network access.

🌐 Internet-Facing: LOW (storage modules typically not internet-facing)
🏢 Internal Only: HIGH (hardcoded credentials allow easy internal compromise if modules are accessible)

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires network access to management interface and knowledge of hardcoded credentials. No special tools needed beyond standard SSH/Telnet clients.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check IBM support for updated firmware

Vendor Advisory: https://www.ibm.com/support/pages/node/1106565

Restart Required: Yes

Instructions:

1. Check IBM support for latest firmware. 2. Backup current configuration. 3. Download and apply firmware update. 4. Reboot affected modules. 5. Verify update and reconfigure if needed.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate storage module management interfaces from general network access

Access Control Lists

all

Implement strict firewall rules limiting access to module management interfaces

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate storage modules
  • Monitor for authentication attempts using support/diags/prom accounts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via module management interface or IBM BladeCenter management console

Check Version:

Varies by management interface - typically via SSH/Telnet or web interface

Verify Fix Applied:

Verify firmware version is updated and test that hardcoded credentials no longer work

📡 Detection & Monitoring

Log Indicators:

  • Authentication attempts using 'support', 'diags', or 'prom' accounts
  • Unusual configuration changes to storage modules

Network Indicators:

  • Unexpected SSH/Telnet connections to storage module management ports
  • Traffic from storage modules to unusual destinations

SIEM Query:

source_ip="storage_module_ip" AND (username="support" OR username="diags" OR username="prom")

📊 Metadata

CVE ID: CVE-2018-18202
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: October 10, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON