CWE
863
Advisory Published
Updated

CVE-2021-3956

First published: Wed May 18 2022(Updated: )

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.

Credit: psirt@lenovo.com

Affected SoftwareAffected VersionHow to fix
Lenovo XClarity Controller<7.22_cdi382o
Lenovo Thinkagile Hx1320
Lenovo Thinkagile Hx1321
Lenovo Thinkagile Hx1520-r
Lenovo Thinkagile Hx1521-r
Lenovo Thinkagile Hx2320-e
Lenovo Thinkagile Hx2321
Lenovo Thinkagile Hx3320
Lenovo Thinkagile Hx3321
Lenovo Thinkagile Hx3375
Lenovo Thinkagile Hx3376
Lenovo Thinkagile Hx3520-g
Lenovo Thinkagile Hx3521-g
Lenovo Thinkagile Hx5520
Lenovo Thinkagile Hx5520-c
Lenovo Thinkagile Hx5521
Lenovo Thinkagile Hx5521-c
Lenovo Thinkagile Hx7520
Lenovo Thinkagile Hx7521
Lenovo Thinkagile Vx2320
Lenovo Thinkagile Vx3320
Lenovo Thinkagile Vx3520-g
Lenovo Thinkagile Vx5520
Lenovo Thinkagile Vx7320 N
Lenovo Thinkagile Vx7520
Lenovo Thinkagile Vx7520 N
Lenovo Thinkstation P920
Lenovo Thinksystem Sr530
Lenovo Thinksystem Sr550
Lenovo Thinksystem Sr570
Lenovo Thinksystem Sr590
Lenovo Thinksystem Sr630
Lenovo Thinksystem Sr645
Lenovo Thinksystem Sr650
Lenovo Thinksystem Sr665
Lenovo Thinksystem St550
Lenovo XClarity Controller<2.32_psi342n
Lenovo Thinkagile Hx7820
Lenovo Thinkagile Hx7821
Lenovo Thinksystem Sr950
Lenovo XClarity Controller<3.41_tei382m
Lenovo Thinkagile Mx1021
Lenovo Thinksystem Se350
Lenovo XClarity Controller<4.83_tei3c0n
Lenovo Thinksystem Sd650
Lenovo Thinksystem Sn550
Lenovo Thinksystem Sn850
Lenovo Thinksystem Sr850
Lenovo Thinksystem Sr860
Lenovo XClarity Controller<1.51_tgbt24l
Lenovo Thinksystem Sr850=2.0
Lenovo Thinksystem Sr860=2.0

Remedy

Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section of LEN-72074.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is CVE-2021-3956?

    CVE-2021-3956 is a read-only authentication bypass vulnerability in Lenovo XClarity Controller (XCC) firmware.

  • Which devices are affected by CVE-2021-3956?

    The Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware is affected by CVE-2021-3956.

  • What is the severity level of CVE-2021-3956?

    CVE-2021-3956 has a severity level of 5.3 (medium).

  • How does CVE-2021-3956 affect LDAP Authentication Only Mode?

    CVE-2021-3956 affects XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports 'unauthenticated bind', such as Microsoft Active Directory.

  • How can I fix CVE-2021-3956?

    To fix CVE-2021-3956, Lenovo has released a firmware update. Please refer to the official Lenovo security advisory for more information.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203