CVE-2021-3956

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.

CVSS v3 5.3 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://support.lenovo.com/us/en/product_security/LEN-72074	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinkagile_hx1320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx1321:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx1520-r:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx1521-r:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx2320-e:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx2321:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3321:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3375:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3376:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3520-g:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3521-g:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5520-c:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5521:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5521-c:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx7520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx7521:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx2320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx3320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx3520-g:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx5520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx7320_n:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx7520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx7520_n:-:::::::*
	cpe:2.3:h:lenovo:thinkstation_p920:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr530:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr550:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr570:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr590:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr630:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr645:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr650:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr665:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_st550:-:::::::*

Configuration 2 (hide)

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinkagile_hx7820:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx7821:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr950:-:::::::*

Configuration 3 (hide)

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinkagile_mx1021:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_se350:-:::::::*

Configuration 4 (hide)

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinksystem_sd650:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sn550:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sn850:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr850:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr860:-:::::::*

Configuration 5 (hide)

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinksystem_sr850:2.0:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr860:2.0:::::::*

History

No history.

Information

Published : 2022-05-18 16:15

Updated : 2024-02-28 19:09

NVD link : CVE-2021-3956

Mitre link : CVE-2021-3956

CVE.ORG link : CVE-2021-3956

JSON object : View

Products Affected

lenovo

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2021-3956", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "psirt@lenovo.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2022-05-18T16:15:08.063", "references": [{"url": "https://support.lenovo.com/us/en/product_security/LEN-72074", "tags": ["Vendor Advisory"], "source": "psirt@lenovo.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-863"}]}, {"type": "Secondary", "source": "psirt@lenovo.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports \u201cunauthenticated bind\u201d, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only \u201cauthenticated bind\u201d and/or \u201canonymous bind\u201d are not affected."}, {"lang": "es", "value": "Se ha informado de una vulnerabilidad de elusi\u00f3n de autenticaci\u00f3n de solo lectura en la versi\u00f3n del tercer trimestre de 2021 del firmware de Lenovo XClarity Controller (XCC) que afecta a los dispositivos XCC configurados en el modo de solo autenticaci\u00f3n LDAP y que usan un servidor LDAP que admite \u20ac\u0153unauthenticated bind\u00e2\u20ac?, como Microsoft Active Directory. Un usuario no autenticado puede conseguir acceso de s\u00f3lo lectura al XCC en dicha configuraci\u00f3n, lo que permite visualizar la configuraci\u00f3n del dispositivo XCC pero no modificarla. Los dispositivos XCC configurados para usar la autenticaci\u00f3n local, el modo de autenticaci\u00f3n + autorizaci\u00f3n LDAP o los servidores LDAP que s\u00f3lo admiten la \"vinculaci\u00f3n autenticada\" y/o la \"vinculaci\u00f3n an\u00f3nima\" no est\u00e1n afectados"}], "lastModified": "2022-06-06T18:28:15.027", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1749A9CB-1719-4CC8-8476-D06D99BB2A2F", "versionEndExcluding": "7.22_cdi382o"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1320:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E72B2526-8BD9-49FD-BDCF-B654BCEAC8AE"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1321:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "ADFD8C5A-D9E0-4EFF-92A3-17A6DBE7D155"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1520-r:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "648DD614-F500-4FFB-8FD4-D2B284FE5E55"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1521-r:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D33A804F-C94C-4A6C-AA84-957834680652"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx2320-e:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DECFCE59-8456-47A3-8A8E-989813E37674"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx2321:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A5E515C4-D2F2-4A71-9A9C-70A80477352A"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3320:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "03D3EBE9-34C1-45CA-A800-B313110409DC"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3321:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "86E6A2F7-7EC0-46E1-A973-2172B076E883"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3375:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E8126219-A07C-42A6-9553-B6AE499DB6BF"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3376:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "57D7A545-BE29-4F0B-AC77-8E6DE955CA5B"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3520-g:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B9D354C3-0183-42D9-97D0-C9888B023195"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3521-g:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1E0DDCC8-46B7-43FA-8A4A-BCE8AB7F8480"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5520:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8A9FDCC0-F45C-4AA1-BB11-0761A25BF16B"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5520-c:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4EB95DEC-D622-4AD7-AC69-077A94BD752C"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5521:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "924C1B4B-6E97-4942-8000-BB59860913EE"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5521-c:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5788FFBD-69B4-4FB6-A2D2-4C6BA6CCE769"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7520:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "16776C5F-CCAF-4F22-B570-FE49A0B73FF7"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7521:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F350D6FE-7BE1-46C9-B1A6-4EE0AF8BCB55"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx2320:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "BF7500A0-B95E-4E16-B532-28C139C94AF3"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx3320:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4A8B3E93-970D-4B49-B5A6-6BFAC45BAAC4"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx3520-g:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "72422C47-0027-4B4E-9C82-78FE8A8A6D75"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx5520:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "704A1043-7626-412C-8666-9088B3AA1147"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx7320_n:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "435794D6-7773-4D93-96E2-7269EB863A04"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx7520:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E25483F5-F222-42AF-ACA4-580CD2965C55"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx7520_n:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "4C923CF1-EB97-431F-9D85-0CB5C921A040"}, {"criteria": "cpe:2.3:h:lenovo:thinkstation_p920:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D47FCAA7-B33F-4F00-85BA-AA8ED4790572"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr530:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F4C6628A-8A99-4841-A7C5-0445A03C638D"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr550:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D10850BF-A7EA-4B84-B2EF-66DCCC301514"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr570:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8A7C5BE3-5429-46B0-B0B5-C86A9B6376A7"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr590:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A3DC615C-A88A-4C45-892F-77C5E84104E8"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr630:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "D7F10C8D-C9C7-4FAD-980D-7A602C8BE81D"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr645:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DE27586B-1CC9-42A3-B763-93972E204A6D"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr650:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C6C2B5BB-6E1F-4E01-AAE8-A8239AB8945E"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr665:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1AE69184-CA94-4A27-AFF2-3B1B81D25CBA"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_st550:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A5B19107-5B45-4E45-8B34-90B5A1FF3962"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6975F7A6-DBC8-42D4-B067-E397FD978F3E", "versionEndExcluding": "2.32_psi342n"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7820:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DA2540A2-1462-42F7-949C-9881544DE684"}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7821:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "0E153D62-9443-4F52-BA47-5C2704E05BC9"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr950:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B6B0407D-D603-48AE-9A42-F4C68056E19D"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2D3658E6-8820-45E5-8357-7A9EB564553A", "versionEndExcluding": "3.41_tei382m"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinkagile_mx1021:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "C24F4237-BD63-4A87-B44A-970871642E27"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_se350:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "FD4B877C-8D19-4AD2-948D-ADBD9B1BEEED"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97D0E172-D188-4293-BD6D-94128304F07E", "versionEndExcluding": "4.83_tei3c0n"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinksystem_sd650:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "7A1FF5D0-CC08-42B0-9798-55ED911B3EF6"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sn550:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "5DB64709-93BA-43D8-A1DB-4CE405291430"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sn850:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1DB0C393-2CB4-485F-93E2-2F28B19F9325"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr850:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "19771143-D5F1-4F2F-AB83-09913894681E"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr860:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "EAF08144-ECCB-477B-A934-E4578522BFEE"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6F17BC4-421A-453D-B933-97AA7BBED79E", "versionEndExcluding": "1.51_tgbt24l"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinksystem_sr850:2.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "95893E4E-6850-4C53-A5D6-12C3B9BB0E92"}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr860:2.0:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "E1F9CC8A-CCFA-4499-A2C8-6251EF43968D"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "psirt@lenovo.com"}