LenovoLENOVO:PS500011-MULTIPLE-THINKSERVER-SYSTEM-MANAGER-TSM-50-SERIES-SECURITY-WEAKNESSES-NOSIDMultiple ThinkServer System Manager (TSM) *50-series Security Weaknesses - Lenovo Support US
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
66.1%
Lenovo Security Advisory: LEN-2015-024 **Potential Impact:**Unauthorized Access; Escalation of Privilege; Denial of Service; Man-in-the-Middle (MitM) Attack ****Severity:****High
Summary:
Multiple security weaknesses were discovered in the ThinkServer System Manager (TSM) Baseboard Management Controller for the *50-series of ThinkServers. These weaknesses were found during an internal security review and corrected. Upgrading to the latest version of TSM is considered an important update and strongly encouraged.
Description:
An internal security review discovered multiple security weaknesses in the ThinkServer System Manager (TSM) Baseboard Management Controller for the *50-series of ThinkServers. If exploited, these weaknesses could result in one or more of the following security impacts:
- Unauthorized Access and Escalation of Privilege: known vulnerabilities in IPMI-over-LAN or restoration of a specially crafted backup file could grant unauthorized access or lead to privilege escalation
- Denial of Service: a certain combination of malformed HTTP input during user authentication could crash the web user interface under certain circumstances
- Man-in-the-Middle Attack: server certificate validation was not performed when establishing an encrypted remote KVM session
These weaknesses have been corrected in the TSM v1.27.73476 firmware release for the *50-series of ThinkServers. This update also includes other internal code improvements to further enhance TSM security. You can find the latest version of TSM at the following link: DS102390.
The TSM v1.27.73476 firmware release is considered an important update and its installation is strongly encouraged for all ThinkServer *50-series customers.
Mitigation and Best Practices:
See the “Lenovo ThinkServer System Manager (TSM) Security Best Practices” guide for methods to mitigate against the security weaknesses described in this advisory, as well as other attacks against the TSM.
Affected Products:
- ThinkServer RD350
- ThinkServer RD450
- ThinkServer RD550
- ThinkServer RD650
- ThinkServer TD350
**Acknowledgements:**None
Other information and references:
- TSM Update
- Lenovo ThinkServer System Manager (TSM) Security Best Practices
- CVE ID: CVE-2015-3323, CVE-2015-3324
Revision History:
Revision
|
Date
|
Description
—|—|—
1.1 | 05/05/2015 | Added CVE ID
1.0 | 03/24/2015 | Initial release
Related
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.003 Low
EPSS
Percentile
66.1%