ThinkServer *50-series BIOS Password Encryption Weakness - Lenovo Support US

Lenovo Security Advisory: LEN-2015-018 **Potential Impact: **Password Disclosure **Severity: **Low

Summary:
The ThinkServer *50-series of servers store user and administrator BIOS passwords using a legacy, proprietary form of encryption. This issue was found during an internal security review and corrected. Upgrading to the latest version of BIOS firmware is recommended.

Description:
An internal security review discovered that a legacy, proprietary form of encryption was used by the BIOS firmware of the *50-series of ThinkServers to store user and administrator passwords. The encrypted form of these passwords was not normally accessible, but could be discovered by an attacker under certain circumstances. Once discovered, an attacker could reverse the encryption and reveal the actual passwords.

This weakness has been corrected in the BIOS V1.26.0 update for the *50-series of ThinkServers and is recommended for customers that use BIOS passwords.

Product Impact:

Affected Product

|

Minimum version including fix

|

Link

—|—|—

ThinkServer RD350

|

1.26.0

|

<http://support.lenovo.com/us/en/downloads/DS102451&gt;

ThinkServer RD450

|

1.26.0

|

<http://support.lenovo.com/us/en/downloads/DS102451&gt;

ThinkServer RD550

|

1.26.0

|

<http://support.lenovo.com/us/en/downloads/DS101195&gt;

ThinkServer RD650

|

1.26.0

|

<http://support.lenovo.com/us/en/downloads/DS101196&gt;

ThinkServer TD350

|

1.26.0

|

<http://support.lenovo.com/us/en/downloads/DS101198&gt;

**Acknowledgements:**None

Other information and references:

CVE ID: CVE-2015-3322

Revision History:

Revision

|

Date

|

Description

—|—|—
1.1 | 05/05/2015 | Added CVE ID
1.0 | 03/24/2015 | Initial release