7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.257 Low
EPSS
Percentile
96.2%
**Lenovo Security Advisory:**LEN-2015-074, LEN-2746 **Potential Impact:**Escalation of Privileges Severity: High
Summary: Multiple vulnerabilities have been identified in the following products:
- IBM System Networking Switch Center
- Lenovo Switch Center
Description:
Lenovo Switch Center, previously known as IBM System Networking Switch Center before it was acquired by Lenovo as part of its purchase of the IBM x86 server business, is a utility that provides remote monitoring and management of Ethernet and converged switches from Lenovo and IBM. It is designed to simplify and centralize the management of Lenovo and IBM BladeCenter, Flex System and RackSwitch Ethernet and converged switches.
Multiple local privilege escalation vulnerabilities have been identified in these two products: Unprivileged local users may be able to run a command or code with escalated privileges on the system, unauthenticated users may be able to remotely obtain the encrypted administrator password, or the session user ID may be temporarily set to a valid ID used to log in.
Affected Products and Versions:
This vulnerability affects all versions of IBM System Networking Switch Center prior to and including 7.1.3.4 and Lenovo Switch Center 8.1.1.0
Mitigation Strategy for Customers (what you should do to protect yourself):
Products that are still under a support contract can be upgraded to either IBM System Networking Switch Center 7.3.1.5 or Lenovo Switch Center 8.1.2.0 available from IBM Passport Advantage
Acknowledgements:
Thanks to rgod working with HPās Zero Day Initiative.
Other information and references:
CVE ID: CVE-2015-7817; CVE-2015-7818; CVE-2015-7819;CVE-2015-7820
ZDI Reference: ZDI-CAN-3008; ZDI-CAN-3009; ZDI-CAN-3010; ZDI-CAN-3011; ZDI-CAN-3012
Revision History:
Revision
|
Date
|
Description
ā|ā|ā
1.0 |** 11/05/2015**|** Initial release**