#VU22865 Code Injection in Lenovo XClarity Controller (XCC) - CVE-2019-6187
Published: November 20, 2019
Vulnerability identifier: #VU22865
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-6187
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Lenovo XClarity Controller (XCC)
Lenovo XClarity Controller (XCC)
Software vendor:
Lenovo
Lenovo
Description
The vulnerability allows a local user to inject arbitrary code into CSV files.
The vulnerability exists due to insufficient sanitization of user-supplied data when constructing CSV files. A local administrator can store malformed data in certain XCC server informational fields, that could result in crafted formulas being stored in an exported CSV file.
Successful exploitation of this vulnerability may allow a local administrator to execute arbitrary code and compromise of vulnerable system.
Remediation
Install updates from vendor's website.
| Product | Minimum Fix Version | Download Link | Status Last Updated |
| ThinkAgile HX series, Machine Types: 7X82, 7Y88, 7Z03 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
| ThinkAgile HX Series, Machine Types: 7X83,YX84,7Y89,7Y90,7Z04,7Z05,7Z06,7Z07 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
| ThinkAgile MX Certified Nodes, Machine Types: 7Z20,7D1H | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
| ThinkAgile VX series, Machine Types: 7Y11, 7Y12, 7Y92 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
| ThinkAgile VX Series, Machine Types: 7Y13,7Y14,7Y93,7Y94 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
| ThinkSystem SD530, Machine Types: 7X21 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
| ThinkSystem SD650 DWC Dual Node Tray, Machine Types: 7X58 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
| ThinkSystem SN550, Machine Types: 7X16 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
| ThinkSystem SN850, Machine Types: 7X15 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
| ThinkSystem SR150 / SR158, Machine Types: 7Y54,7Y55 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
| ThinkSystem SR250/SR258, Machine Types: 7Y51,7Y52,7Y72,7Y73,7Y53 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
| ThinkSystem SR530, Machine Types: 7X07,7X08 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
| ThinkSystem SR550, Machine Types: 7X03,7X04 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
| ThinkSystem SR570, Machine Types: 7Y02,7Y03 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
| ThinkSystem SR590, Machine Types: 7X98,7X99 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
| ThinkSystem SR630, Machine Types: 7X01,7X02 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
| ThinkSystem SR650, Machine Types: 7X05,7X06 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
| ThinkSystem SR670 Server, Machine Types: 7Y36, 7Y37, 7Y38 | G1I312 | https://datacentersupport.lenovo.com/downloads/DS542157 | 2019-11-19 |
| ThinkSystem SR850, Machine Types: 7X18, 7X19 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
| ThinkSystem SR860, Machine Types: 7X69, 7X70 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
| ThinkSystem SR950 Server, Machine Types: 7X11,7X12,7X13,7Y95,7Y96,7Z08,7Z09 | PSI328M | https://datacentersupport.lenovo.com/downloads/DS542206 | 2019-11-19 |
| ThinkSystem ST250/ST258, Machine Types: 7Y45,7Y46,7Y47 | TEI392M | https://datacentersupport.lenovo.com/downloads/DS542158 | 2019-11-19 |
| ThinkSystem ST550, Machine Types: 7X09,7X10 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |
| ThinkSystem ST558, Machine Types: 7Y15,7Y16 | CDI340M | https://datacentersupport.lenovo.com/downloads/DS542159 | 2019-11-19 |