First published: Wed May 18 2022(Updated: )
A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.
Credit: psirt@lenovo.com
Affected Software | Affected Version | How to fix |
---|---|---|
Lenovo XClarity Controller | <7.22_cdi382o | |
Lenovo Thinkagile Hx1320 | ||
Lenovo Thinkagile Hx1321 | ||
Lenovo Thinkagile Hx1520-r | ||
Lenovo Thinkagile Hx1521-r | ||
Lenovo Thinkagile Hx2320-e | ||
Lenovo Thinkagile Hx2321 | ||
Lenovo Thinkagile Hx3320 | ||
Lenovo Thinkagile Hx3321 | ||
Lenovo Thinkagile Hx3375 | ||
Lenovo Thinkagile Hx3376 | ||
Lenovo Thinkagile Hx3520-g | ||
Lenovo Thinkagile Hx3521-g | ||
Lenovo Thinkagile Hx5520 | ||
Lenovo Thinkagile Hx5520-c | ||
Lenovo Thinkagile Hx5521 | ||
Lenovo Thinkagile Hx5521-c | ||
Lenovo Thinkagile Hx7520 | ||
Lenovo Thinkagile Hx7521 | ||
Lenovo Thinkagile Vx2320 | ||
Lenovo Thinkagile Vx3320 | ||
Lenovo Thinkagile Vx3520-g | ||
Lenovo Thinkagile Vx5520 | ||
Lenovo Thinkagile Vx7320 N | ||
Lenovo Thinkagile Vx7520 | ||
Lenovo Thinkagile Vx7520 N | ||
Lenovo Thinkstation P920 | ||
Lenovo Thinksystem Sr530 | ||
Lenovo Thinksystem Sr550 | ||
Lenovo Thinksystem Sr570 | ||
Lenovo Thinksystem Sr590 | ||
Lenovo Thinksystem Sr630 | ||
Lenovo Thinksystem Sr645 | ||
Lenovo Thinksystem Sr650 | ||
Lenovo Thinksystem Sr665 | ||
Lenovo Thinksystem St550 | ||
Lenovo XClarity Controller | <2.32_psi342n | |
Lenovo Thinkagile Hx7820 | ||
Lenovo Thinkagile Hx7821 | ||
Lenovo Thinksystem Sr950 | ||
Lenovo XClarity Controller | <3.41_tei382m | |
Lenovo Thinkagile Mx1021 | ||
Lenovo Thinksystem Se350 | ||
Lenovo XClarity Controller | <4.83_tei3c0n | |
Lenovo Thinksystem Sd650 | ||
Lenovo Thinksystem Sn550 | ||
Lenovo Thinksystem Sn850 | ||
Lenovo Thinksystem Sr850 | ||
Lenovo Thinksystem Sr860 | ||
Lenovo XClarity Controller | <1.51_tgbt24l | |
Lenovo Thinksystem Sr850 | =2.0 | |
Lenovo Thinksystem Sr860 | =2.0 |
Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section of LEN-72074.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-3956 is a read-only authentication bypass vulnerability in Lenovo XClarity Controller (XCC) firmware.
The Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware is affected by CVE-2021-3956.
CVE-2021-3956 has a severity level of 5.3 (medium).
CVE-2021-3956 affects XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports 'unauthenticated bind', such as Microsoft Active Directory.
To fix CVE-2021-3956, Lenovo has released a firmware update. Please refer to the official Lenovo security advisory for more information.