#VU80745 Permissions, Privileges, and Access Controls in Hardware solutions


Published: 2023-09-13

Vulnerability identifier: #VU80745

Vulnerability risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-4606

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ThinkAgile HX5530 Appliance
Hardware solutions / Firmware
ThinkAgile HX7530 Appliance
Hardware solutions / Firmware
ThinkAgile VX3331 Certified Node
Hardware solutions / Firmware
ThinkAgile HX1331 Certified Node
Hardware solutions / Firmware
ThinkAgile HX2330 Appliance
Hardware solutions / Firmware
ThinkAgile HX2331 Certified Node
Hardware solutions / Firmware
ThinkAgile HX3330 Appliance
Hardware solutions / Firmware
ThinkAgile HX3331 Certified Node
Hardware solutions / Firmware
ThinkAgile HX3331 Node SAP HANA
Hardware solutions / Firmware
ThinkAgile HX3375 Appliance
Hardware solutions / Firmware
ThinkAgile HX3376 Certified Node
Hardware solutions / Firmware
ThinkAgile HX5531 Certified Node
Hardware solutions / Firmware
ThinkAgile HX7530 Appl for SAP HANA
Hardware solutions / Firmware
ThinkAgile HX7531 Certified Node
Hardware solutions / Firmware
ThinkAgile HX7531 Node SAP HANA
Hardware solutions / Firmware
ThinkAgile MX3330-F All-flash Appliance
Hardware solutions / Firmware
ThinkAgile MX3330-H Hybrid Appliance
Hardware solutions / Firmware
ThinkAgile MX3331-F All-flash Certified node
Hardware solutions / Firmware
ThinkAgile MX3331-H Hybrid Certified node
Hardware solutions / Firmware
ThinkAgile MX3530 F All flash Appliance
Hardware solutions / Firmware
ThinkAgile MX3530-H Hybrid Appliance
Hardware solutions / Firmware
ThinkAgile MX3531 H Hybrid Certified node
Hardware solutions / Firmware
ThinkAgile MX3531-F All-flash Certified node
Hardware solutions / Firmware
ThinkAgile VX2330 Appliance
Hardware solutions / Firmware
ThinkAgile VX3330 Appliance
Hardware solutions / Firmware
ThinkAgile VX3530-G Appliance
Hardware solutions / Firmware
ThinkAgile VX5530 Appliance
Hardware solutions / Firmware
Thinkagile VX7330 Appliance
Hardware solutions / Firmware
ThinkAgile VX7530 Appliance
Hardware solutions / Firmware
ThinkAgile VX7531 Certified Node
Hardware solutions / Firmware
ThinkSystem SD630 V2
Hardware solutions / Firmware
ThinkSystem SD650 V2
Hardware solutions / Firmware
ThinkSystem SD650 V3
Hardware solutions / Firmware
ThinkSystem SD650-N V2
Hardware solutions / Firmware
ThinkSystem SD665 V3
Hardware solutions / Firmware
ThinkSystem SN550 V2
Hardware solutions / Firmware
ThinkSystem SR250 V2
Hardware solutions / Firmware
ThinkSystem SR258 V2
Hardware solutions / Firmware
ThinkSystem SR630 V2
Hardware solutions / Firmware
ThinkSystem SR630 V3
Hardware solutions / Firmware
ThinkSystem SR635 V3
Hardware solutions / Firmware
ThinkSystem SR645
Hardware solutions / Firmware
ThinkSystem SR645 V3
Hardware solutions / Firmware
ThinkSystem SR650 V2
Hardware solutions / Firmware
ThinkSystem SR650 V3
Hardware solutions / Firmware
ThinkSystem SR655 V3
Hardware solutions / Firmware
ThinkSystem SR665
Hardware solutions / Firmware
ThinkSystem SR665 V3
Hardware solutions / Firmware
ThinkSystem SR670 V2
Hardware solutions / Firmware
ThinkSystem SR675 V3
Hardware solutions / Firmware
ThinkSystem SR850 V2
Hardware solutions / Firmware
ThinkSystem SR850 V3
Hardware solutions / Firmware
ThinkSystem SR860 V2
Hardware solutions / Firmware
ThinkSystem SR860 V3
Hardware solutions / Firmware
ThinkSystem ST250 V2
Hardware solutions / Firmware
ThinkSystem ST258 V2
Hardware solutions / Firmware
ThinkSystem ST650 V2
Hardware solutions / Firmware
ThinkSystem ST650 V3
Hardware solutions / Firmware
ThinkSystem ST658 V2
Hardware solutions / Firmware
ThinkSystem ST658 V3
Hardware solutions / Firmware

Vendor:

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to improperly imposed security restrictions. A remote authenticated Lenovo XClarity Controller (XCC) user with ReadOnly permissions can use an API command to change password of another user.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://support.lenovo.com/us/en/product_security/LEN-140960

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Lenovo XClarity Controller (XCC)