Authentication bypass in Lenovo Service Framework - CVE-2017-3765
Published: January 23, 2018
Vulnerability identifier: #VU10152
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-3765
CWE-ID: CWE-592
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vendor: Lenovo
Affected software:
Lenovo Service Framework
Lenovo Service Framework
Detailed vulnerability description
The vulnerability allows a local attacker to bypass security restrictions on the target system.
The weakness exists in the Enterprise Network Operating System (ENOS) firmware due to the presence of a mechanism, known as HP Backdoor, for bypassing authentication on the affected switches. A local attacker can use credentials unique to a targeted switch to authenticate to the switch, bypass authentication and gain administrative-level access to the switch.
Successful exploitation of the vulnerability may result in system compromise.
The weakness exists in the Enterprise Network Operating System (ENOS) firmware due to the presence of a mechanism, known as HP Backdoor, for bypassing authentication on the affected switches. A local attacker can use credentials unique to a targeted switch to authenticate to the switch, bypass authentication and gain administrative-level access to the switch.
Successful exploitation of the vulnerability may result in system compromise.
How to mitigate CVE-2017-3765
Install update from vendor's website.