CVE-2021-3956

Published: May 18, 2022Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Exploitability: 3.9 / Impact: 1.4

Source: NVD

Description

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.

Affected (5)

Products: Lenovo: Xclarity Controller

Lenovo

1 product

Xclarity Controller

Configuration A

1 vulnerable · 35 platform

Vulnerable Software	Affected Versions
Lenovo Xclarity Controller	Before 7.22_cdi382o

Running on/with	Platform Versions
Lenovo Thinkagile Hx1320	All versions
Lenovo Thinkagile Hx1321	All versions
Lenovo Thinkagile Hx1520 R	All versions
Lenovo Thinkagile Hx1521 R	All versions
Lenovo Thinkagile Hx2320 E	All versions
Lenovo Thinkagile Hx2321	All versions
Lenovo Thinkagile Hx3320	All versions
Lenovo Thinkagile Hx3321	All versions
Lenovo Thinkagile Hx3375	All versions
Lenovo Thinkagile Hx3376	All versions
Lenovo Thinkagile Hx3520 G	All versions
Lenovo Thinkagile Hx3521 G	All versions
Lenovo Thinkagile Hx5520	All versions
Lenovo Thinkagile Hx5520 C	All versions
Lenovo Thinkagile Hx5521	All versions
Lenovo Thinkagile Hx5521 C	All versions
Lenovo Thinkagile Hx7520	All versions
Lenovo Thinkagile Hx7521	All versions
Lenovo Thinkagile Vx2320	All versions
Lenovo Thinkagile Vx3320	All versions
Lenovo Thinkagile Vx3520 G	All versions
Lenovo Thinkagile Vx5520	All versions
Lenovo Thinkagile Vx7320 N	All versions
Lenovo Thinkagile Vx7520	All versions
Lenovo Thinkagile Vx7520 N	All versions
Lenovo Thinkstation P920	All versions
Lenovo Thinksystem Sr530	All versions
Lenovo Thinksystem Sr550	All versions
Lenovo Thinksystem Sr570	All versions
Lenovo Thinksystem Sr590	All versions
Lenovo Thinksystem Sr630	All versions
Lenovo Thinksystem Sr645	All versions
Lenovo Thinksystem Sr650	All versions
Lenovo Thinksystem Sr665	All versions
Lenovo Thinksystem St550	All versions

Configuration B

1 vulnerable · 3 platform

Vulnerable Software	Affected Versions
Lenovo Xclarity Controller	Before 2.32_psi342n

Running on/with	Platform Versions
Lenovo Thinkagile Hx7820	All versions
Lenovo Thinkagile Hx7821	All versions
Lenovo Thinksystem Sr950	All versions

Configuration C

1 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Lenovo Xclarity Controller	Before 3.41_tei382m

Running on/with	Platform Versions
Lenovo Thinkagile Mx1021	All versions
Lenovo Thinksystem Se350	All versions

Configuration D

1 vulnerable · 5 platform

Vulnerable Software	Affected Versions
Lenovo Xclarity Controller	Before 4.83_tei3c0n

Running on/with	Platform Versions
Lenovo Thinksystem Sd650	All versions
Lenovo Thinksystem Sn550	All versions
Lenovo Thinksystem Sn850	All versions
Lenovo Thinksystem Sr850	All versions
Lenovo Thinksystem Sr860	All versions

Configuration E

1 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Lenovo Xclarity Controller	Before 1.51_tgbt24l

Running on/with	Platform Versions
Lenovo Thinksystem Sr850	Version 2.0
Lenovo Thinksystem Sr860	Version 2.0

Related CWEs

CWE-863

Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References (2)

https://support.lenovo.com/us/en/product_security/LEN-72074

Source: psirt@lenovo.com

Vendor Advisory

https://support.lenovo.com/us/en/product_security/LEN-72074

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.