IBM fixes a critical security flaw in Power Systems Flexible Service Processor
Take action: If you are using IBM Power systems, update your FSP processor. It's designed to be remotely accessible, ideally from a VPN or separate network. But having hardcoded credentials means that any access compromise will expose your servers. Don't delay this, FSPs can be patched without harming the running server.
Learn More
IBM has disclosed a critical security vulnerability in its Flexible Service Processor (FSP). The IBM Flexible Service Processor (FSP) is an always-on management processor used in IBM Power Systems to provide out-of-band management, enabling system monitoring, configuration, and control for server nodes within data centers
The flaw is tracked as CVE-2024-45656 (CVSS score 9.8) and is caused by static (hard-coded) credentials, allows unauthorized network users to gain service privileges, posing a significant risk to affected systems.
The vulnerability impacts multiple firmware versions across various IBM Power Systems:
- Power10 Servers - Firmware versions FW1030.00 to FW1030.61, FW1050.00 to FW1050.21, and FW1060.00 to FW1060.10.
- Power9 Servers - Firmware versions FW950.00 to FW950.C0.
- Power8 Servers - Firmware versions FW860.00 to FW860.B3.
IBM has released updated firmware versions to address this vulnerability:
- Power10: FW1030.62 (1030_082), FW1050.22 (1050_063), FW1060.11 (1060_065) or newer.
- Power9: FW950.C1 (950_165) or newer.
- Power8: FW860.B4 (860_246) or newer.
Organizations should apply firmware updates, as no workarounds are available.
