#VU80746 Permissions, Privileges, and Access Controls in Lenovo products - CVE-2023-4607

Cybersecurity Help s.r.o.

Published: 2023-09-13

Vulnerability identifier: #VU80746

Vulnerability risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-4607

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
ThinkAgile HX5530 Appliance
Hardware solutions / Firmware
ThinkAgile HX7530 Appliance
Hardware solutions / Firmware
ThinkAgile VX3331 Certified Node
Hardware solutions / Firmware
ThinkAgile HX Enclosure Certified Node
Hardware solutions / Firmware
ThinkAgile HX1021 Edge Certified Node 3yr
Hardware solutions / Firmware
ThinkAgile HX1320 Appliance
Hardware solutions / Firmware
ThinkAgile HX1321 Certified Node
Hardware solutions / Firmware
ThinkAgile HX1331 Certified Node
Hardware solutions / Firmware
ThinkAgile HX1520-R Appliance
Hardware solutions / Firmware
ThinkAgile HX1521-R Certified Node
Hardware solutions / Firmware
ThinkAgile HX2320-E Appliance
Hardware solutions / Firmware
ThinkAgile HX2321 Certified Node
Hardware solutions / Firmware
ThinkAgile HX2330 Appliance
Hardware solutions / Firmware
ThinkAgile HX2331 Certified Node
Hardware solutions / Firmware
ThinkAgile HX2720-E Appliance
Hardware solutions / Firmware
ThinkAgile HX3320 Appliance
Hardware solutions / Firmware
ThinkAgile HX3321 Certified Node
Hardware solutions / Firmware
ThinkAgile HX3330 Appliance
Hardware solutions / Firmware
ThinkAgile HX3331 Certified Node
Hardware solutions / Firmware
ThinkAgile HX3331 Node SAP HANA
Hardware solutions / Firmware
ThinkAgile HX3375 Appliance
Hardware solutions / Firmware
ThinkAgile HX3376 Certified Node
Hardware solutions / Firmware
ThinkAgile HX3520-G Appliance
Hardware solutions / Firmware
ThinkAgile HX3521-G Certified Node
Hardware solutions / Firmware
ThinkAgile HX3720 Appliance
Hardware solutions / Firmware
ThinkAgile HX3721 Certified Node
Hardware solutions / Firmware
ThinkAgile HX5520 Appliance
Hardware solutions / Firmware
ThinkAgile HX5520-C Appliance
Hardware solutions / Firmware
ThinkAgile HX5521 Certified Node
Hardware solutions / Firmware
ThinkAgile HX5521-C Certified Node
Hardware solutions / Firmware
ThinkAgile HX5531 Certified Node
Hardware solutions / Firmware
ThinkAgile HX7520 Appliance
Hardware solutions / Firmware
ThinkAgile HX7521 Certified Node
Hardware solutions / Firmware
ThinkAgile HX7530 Appl for SAP HANA
Hardware solutions / Firmware
ThinkAgile HX7531 Certified Node
Hardware solutions / Firmware
ThinkAgile HX7531 Node SAP HANA
Hardware solutions / Firmware
ThinkAgile HX7820 Appliance
Hardware solutions / Firmware
ThinkAgile HX7821 Certified Node
Hardware solutions / Firmware
ThinkAgile MX Edge Appliance - MX1020
Hardware solutions / Firmware
ThinkAgile MX3330-F All-flash Appliance
Hardware solutions / Firmware
ThinkAgile MX3330-H Hybrid Appliance
Hardware solutions / Firmware
ThinkAgile MX3331-F All-flash Certified node
Hardware solutions / Firmware
ThinkAgile MX3331-H Hybrid Certified node
Hardware solutions / Firmware
ThinkAgile MX3530 F All flash Appliance
Hardware solutions / Firmware
ThinkAgile MX3530-H Hybrid Appliance
Hardware solutions / Firmware
ThinkAgile MX3531 H Hybrid Certified node
Hardware solutions / Firmware
ThinkAgile MX3531-F All-flash Certified node
Hardware solutions / Firmware
ThinkAgile MX630 V3 Certified Node
Hardware solutions / Firmware
ThinkAgile MX630 V3 Integrated System
Hardware solutions / Firmware
ThinkAgile MX650 V3 Certified Node
Hardware solutions / Firmware
ThinkAgile MX650 v3 Integrated System
Hardware solutions / Firmware
ThinkAgile MX1021 on SE350
Hardware solutions / Firmware
ThinkAgile VX 1SE Certified Node
Hardware solutions / Firmware
ThinkAgile VX 2U4N Certified Node
Hardware solutions / Firmware
ThinkAgile VX 4U Certified Node
Hardware solutions / Firmware
ThinkAgile VX1320
Hardware solutions / Firmware
ThinkAgile VX2320
Hardware solutions / Firmware
ThinkAgile VX2330 Appliance
Hardware solutions / Firmware
ThinkAgile VX3320
Hardware solutions / Firmware
ThinkAgile VX3330 Appliance
Hardware solutions / Firmware
ThinkAgile VX3520-G
Hardware solutions / Firmware
ThinkAgile VX3530-G Appliance
Hardware solutions / Firmware
ThinkAgile VX3720
Hardware solutions / Firmware
ThinkAgile VX5520
Hardware solutions / Firmware
ThinkAgile VX5530 Appliance
Hardware solutions / Firmware
ThinkAgile VX7320 N
Hardware solutions / Firmware
Thinkagile VX7330 Appliance
Hardware solutions / Firmware
ThinkAgile VX7520
Hardware solutions / Firmware
ThinkAgile VX7520 N
Hardware solutions / Firmware
ThinkAgile VX7530 Appliance
Hardware solutions / Firmware
ThinkAgile VX7531 Certified Node
Hardware solutions / Firmware
ThinkAgile VX7820
Hardware solutions / Firmware
ThinkEdge SE450
Hardware solutions / Firmware
ThinkStation P920 Rack Workstation
Hardware solutions / Firmware
ThinkSystem SD530
Hardware solutions / Firmware
ThinkSystem SD630 V2
Hardware solutions / Firmware
ThinkSystem SD650 DWC Dual Node Tray
Hardware solutions / Firmware
ThinkSystem SD650 V2
Hardware solutions / Firmware
ThinkSystem SD650 V3
Hardware solutions / Firmware
ThinkSystem SD650-N V2
Hardware solutions / Firmware
ThinkSystem SD665 V3
Hardware solutions / Firmware
ThinkSystem SE350
Hardware solutions / Firmware
ThinkSystem SN550
Hardware solutions / Firmware
ThinkSystem SN550 V2
Hardware solutions / Firmware
ThinkSystem SN850
Hardware solutions / Firmware
ThinkSystem SR150
Hardware solutions / Firmware
ThinkSystem SR158
Hardware solutions / Firmware
ThinkSystem SR250
Hardware solutions / Firmware
ThinkSystem SR250 V2
Hardware solutions / Firmware
ThinkSystem SR258
Hardware solutions / Firmware
ThinkSystem SR258 V2
Hardware solutions / Firmware
ThinkSystem SR530
Hardware solutions / Firmware
ThinkSystem SR550
Hardware solutions / Firmware
ThinkSystem SR570
Hardware solutions / Firmware
ThinkSystem SR590
Hardware solutions / Firmware
ThinkSystem SR630
Hardware solutions / Firmware
ThinkSystem SR630 V2
Hardware solutions / Firmware
ThinkSystem SR630 V3
Hardware solutions / Firmware
ThinkSystem SR635 V3
Hardware solutions / Firmware
ThinkSystem SR645
Hardware solutions / Firmware
ThinkSystem SR645 V3
Hardware solutions / Firmware
ThinkSystem SR650
Hardware solutions / Firmware
ThinkSystem SR650 V2
Hardware solutions / Firmware
ThinkSystem SR650 V3
Hardware solutions / Firmware
ThinkSystem SR655 V3
Hardware solutions / Firmware
ThinkSystem SR665
Hardware solutions / Firmware
ThinkSystem SR665 V3
Hardware solutions / Firmware
ThinkSystem SR670
Hardware solutions / Firmware
ThinkSystem SR670 V2
Hardware solutions / Firmware
ThinkSystem SR675 V3
Hardware solutions / Firmware
ThinkSystem SR850
Hardware solutions / Firmware
ThinkSystem SR850 V2
Hardware solutions / Firmware
ThinkSystem SR850 V3
Hardware solutions / Firmware
ThinkSystem SR850P
Hardware solutions / Firmware
ThinkSystem SR860
Hardware solutions / Firmware
ThinkSystem SR860 V2
Hardware solutions / Firmware
ThinkSystem SR860 V3
Hardware solutions / Firmware
ThinkSystem SR950
Hardware solutions / Firmware
ThinkSystem ST250
Hardware solutions / Firmware
ThinkSystem ST250 V2
Hardware solutions / Firmware
ThinkSystem ST258
Hardware solutions / Firmware
ThinkSystem ST258 V2
Hardware solutions / Firmware
ThinkSystem ST550
Hardware solutions / Firmware
ThinkSystem ST650 V2
Hardware solutions / Firmware
ThinkSystem ST650 V3
Hardware solutions / Firmware
ThinkSystem ST658 V2
Hardware solutions / Firmware
ThinkSystem ST658 V3
Hardware solutions / Firmware

Vendor: Lenovo

Description

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to improperly imposed security restrictions. A local authenticated Lenovo XClarity Controller (XCC) user can change permissions for any user through a crafted API command.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

ThinkAgile HX5530 Appliance: before 2.85

ThinkAgile HX7530 Appliance: before 2.85

ThinkAgile VX3331 Certified Node: before 2.85

ThinkAgile HX Enclosure Certified Node: before 6.20

ThinkAgile HX1021 Edge Certified Node 3yr: before 3.91

ThinkAgile HX1320 Appliance: before 9.80

ThinkAgile HX1321 Certified Node: before 9.80

ThinkAgile HX1331 Certified Node: before 2.85

ThinkAgile HX1520-R Appliance: before 9.80

ThinkAgile HX1521-R Certified Node: before 9.80

ThinkAgile HX2320-E Appliance: before 9.80

ThinkAgile HX2321 Certified Node: before 9.80

ThinkAgile HX2330 Appliance: before 2.85

ThinkAgile HX2331 Certified Node: before 2.85

ThinkAgile HX2720-E Appliance: before 6.20

ThinkAgile HX3320 Appliance: before 9.80

ThinkAgile HX3321 Certified Node: before 9.80

ThinkAgile HX3330 Appliance: before 2.85

ThinkAgile HX3331 Certified Node: before 2.85

ThinkAgile HX3331 Node SAP HANA: before 2.85

ThinkAgile HX3375 Appliance: before 5.00

ThinkAgile HX3376 Certified Node: before 5.00

ThinkAgile HX3520-G Appliance: before 9.80

ThinkAgile HX3521-G Certified Node: before 9.80

ThinkAgile HX3720 Appliance: before 6.20

ThinkAgile HX3721 Certified Node: before 6.20

ThinkAgile HX5520 Appliance: before 9.80

ThinkAgile HX5520-C Appliance: before 9.80

ThinkAgile HX5521 Certified Node: before 9.80

ThinkAgile HX5521-C Certified Node: before 9.80

ThinkAgile HX5531 Certified Node: before 2.85

ThinkAgile HX7520 Appliance: before 9.80

ThinkAgile HX7521 Certified Node: before 9.80

ThinkAgile HX7530 Appl for SAP HANA: before 2.85

ThinkAgile HX7531 Certified Node: before 2.85

ThinkAgile HX7531 Node SAP HANA: before 2.85

ThinkAgile HX7820 Appliance: before 2.90

ThinkAgile HX7821 Certified Node: before 2.90

ThinkAgile MX Edge Appliance - MX1020: before 3.91

ThinkAgile MX3330-F All-flash Appliance: before 2.85

ThinkAgile MX3330-H Hybrid Appliance: before 2.85

ThinkAgile MX3331-F All-flash Certified node: before 2.85

ThinkAgile MX3331-H Hybrid Certified node: before 2.85

ThinkAgile MX3530 F All flash Appliance: before 2.85

ThinkAgile MX3530-H Hybrid Appliance: before 2.85

ThinkAgile MX3531 H Hybrid Certified node: before 2.85

ThinkAgile MX3531-F All-flash Certified node: before 2.85

ThinkAgile MX630 V3 Certified Node: before 2.14

ThinkAgile MX630 V3 Integrated System: before 2.14

ThinkAgile MX650 V3 Certified Node: before 2.14

ThinkAgile MX650 v3 Integrated System: before 2.14

ThinkAgile MX1021 on SE350: before 3.91

ThinkAgile VX 1SE Certified Node: before 6.20

ThinkAgile VX 2U4N Certified Node: before 6.20

ThinkAgile VX 4U Certified Node: before 2.90

ThinkAgile VX1320: before 6.20

ThinkAgile VX2320: before 9.80

ThinkAgile VX2330 Appliance: before 2.85

ThinkAgile VX3320: before 9.80

ThinkAgile VX3330 Appliance: before 2.85

ThinkAgile VX3520-G: before 9.80

ThinkAgile VX3530-G Appliance: before 2.85

ThinkAgile VX3720: before 6.20

ThinkAgile VX5520: before 9.80

ThinkAgile VX5530 Appliance: before 2.85

ThinkAgile VX7320 N: before 9.80

Thinkagile VX7330 Appliance: before 2.85

ThinkAgile VX7520: before 9.80

ThinkAgile VX7520 N: before 9.80

ThinkAgile VX7530 Appliance: before 2.85

ThinkAgile VX7531 Certified Node: before 2.85

ThinkAgile VX7820: before 2.90

ThinkEdge SE450: before 1.70

ThinkStation P920 Rack Workstation: before 9.80

ThinkSystem SD530: before 6.20

ThinkSystem SD630 V2: before 2.85

ThinkSystem SD650 DWC Dual Node Tray: before 6.20

ThinkSystem SD650 V2: before 2.85

ThinkSystem SD650 V3: before 2.12

ThinkSystem SD650-N V2: before 2.85

ThinkSystem SD665 V3: before 2.12

ThinkSystem SE350: before 3.91

ThinkSystem SN550: before 6.20

ThinkSystem SN550 V2: before 2.85

ThinkSystem SN850: before 6.20

ThinkSystem SR150: before 6.20

ThinkSystem SR158: before 6.20

ThinkSystem SR250: before 6.20

ThinkSystem SR250 V2: before 2.85

ThinkSystem SR258: before 6.20

ThinkSystem SR258 V2: before 2.85

ThinkSystem SR530: before 9.80

ThinkSystem SR550: before 9.80

ThinkSystem SR570: before 9.80

ThinkSystem SR590: before 9.80

ThinkSystem SR630: before 9.80

ThinkSystem SR630 V2: before 2.85

ThinkSystem SR630 V3: before 2.14

ThinkSystem SR635 V3: before 2.12

ThinkSystem SR645: before 5.00

ThinkSystem SR645 V3: before 2.12

ThinkSystem SR650: before 9.80

ThinkSystem SR650 V2: before 2.85

ThinkSystem SR650 V3: before 2.14

ThinkSystem SR655 V3: before 2.12

ThinkSystem SR665: before 5.00

ThinkSystem SR665 V3: before 2.12

ThinkSystem SR670: before 3.91

ThinkSystem SR670 V2: before 2.85

ThinkSystem SR675 V3: before 1.11

ThinkSystem SR850: before 6.20

ThinkSystem SR850 V2: before 2.85

ThinkSystem SR850 V3: before 1.11

ThinkSystem SR850P: before 3.91

ThinkSystem SR860: before 6.20

ThinkSystem SR860 V2: before 2.85

ThinkSystem SR860 V3: before 1.11

ThinkSystem SR950: before 2.90

ThinkSystem ST250: before 6.20

ThinkSystem ST250 V2: before 2.85

ThinkSystem ST258: before 6.20

ThinkSystem ST258 V2: before 2.85

ThinkSystem ST550: before 9.80

ThinkSystem ST650 V2: before 2.85

ThinkSystem ST650 V3: before 2.17

ThinkSystem ST658 V2: before 2.85

ThinkSystem ST658 V3: before 2.17

External links
https://support.lenovo.com/us/en/product_security/LEN-140960

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak System

Multiple vulnerabilities in Lenovo XClarity Controller (XCC)