CVE-2021-3956

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.

CVSS v3.0 5.3 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.3^/10

CVSS v3.0 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://support.lenovo.com/us/en/product_security/LEN-72074	Vendor Advisory

Advertisement

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinkstation_p920:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr630:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr530:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr550:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr570:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr590:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr650:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_st550:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx1320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx1321:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx1520-r:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx1521-r:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx2320-e:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx2321:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3321:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3375:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3520-g:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3521-g:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5520-c:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5521:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5521-c:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx7520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx7521:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx2320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx3320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx3520-g:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx5520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx7520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3376:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx7320_n:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx7520_n:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr645:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr665:-:::::::*

Configuration 2 (hide)

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinksystem_sr950:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx7820:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx7821:-:::::::*

Configuration 3 (hide)

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinksystem_se350:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_mx1021:-:::::::*

Configuration 4 (hide)

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinksystem_sd650:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sn550:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sn850:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr850:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr860:-:::::::*

Configuration 5 (hide)

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinksystem_sr860:2.0:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr850:2.0:::::::*

Information

Published : 2022-05-18 09:15

Updated : 2022-06-06 11:28

NVD link : CVE-2021-3956

Mitre link : CVE-2021-3956

JSON object : View

CWE

CWE-863

Incorrect Authorization

Advertisement

Products Affected

lenovo

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-72074", "name": "N/A", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports \u201cunauthenticated bind\u201d, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only \u201cauthenticated bind\u201d and/or \u201canonymous bind\u201d are not affected."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-863"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-3956", "ASSIGNER": "psirt@lenovo.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "severity": "MEDIUM", "acInsufInfo": false, "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}}, "publishedDate": "2022-05-18T16:15Z", "configurations": {"nodes": [{"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "7.22_cdi382o"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:lenovo:thinkstation_p920:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sr630:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sr530:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sr550:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sr570:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sr590:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sr650:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_st550:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx1320:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx1321:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx1520-r:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx1521-r:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx2320-e:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx2321:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx3320:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx3321:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx3375:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx3520-g:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx3521-g:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx5520:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx5520-c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx5521:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx5521-c:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx7520:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx7521:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_vx2320:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_vx3320:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_vx3520-g:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_vx5520:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_vx7520:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx3376:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_vx7320_n:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_vx7520_n:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sr645:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sr665:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.32_psi342n"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sr950:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx7820:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_hx7821:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "3.41_tei382m"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_se350:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinkagile_mx1021:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "4.83_tei3c0n"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sd650:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sn550:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sn850:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sr850:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sr860:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.51_tgbt24l"}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sr860:2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}, {"cpe23Uri": "cpe:2.3:h:lenovo:thinksystem_sr850:2.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-06-06T18:28Z"}