POODLE: SSLv3 Vulnerability - Lenovo Support US

**Lenovo Security Advisory:**LEN-2014-007
Potential Impact: Unauthorized Access; Man-in-the-Middle (MitM) Attack Severity: Medium

Summary:
A security vulnerability known as POODLE was publicly announced that affects a relatively low number of Internet connected devices. However, this vulnerability is critical and could allow an attacker to read encrypted information, even when passed over an SSL connection. Lenovo has listed steps you can take to help protect yourself.

Mitigation Strategy for Customers (what you should do to protect yourself):

• Upgrade your browser to the latest version supported by your IT organization. If using Internet Explorer 6, move to a more modern, supported browser.
• Disable SSLv3 support within your browser. You can check if your browser is vulnerable by going here and looking for SSLv3 “Yes”. To disable SSLv3 support, making the following changes and restart your browser:
  • Mozilla Firefox
    • Open about:config, find security.tls.version.min and set the value to 1.
  • Google Chrome
    • Newer versions of Chrome support TLS_FALLBACK_SCSV, which mitigates this issue.
    • You can explicitly disable support for SSLv3 by issuing the command line command --ssl-version-min=tls1. Further instructions about using command line flags can be found here.
  • Internet Explorer
    • Go into “Internet Options”, “advanced”, and uncheck SSLv3.
• Scan your own infrastructure for this vulnerability using available tools. Two tools are available from Tinfoil Security and SSL Labs.
• Be cognizant of opportunistic phishers who email you to patch your devices. Don’t click on links that look suspicious.
• In general it is good practice to reduce the surface area of where a malicious attacker can exploit, so where possible, disable unnecessary services such as web servers.
• If you are unable to disable web servers that use SSLv3 please limit remote access by applying network segmentation and appropriate access control list to minimize impact.
• Review the Product Impact list below and update applicable firmware.
  • ThinkPad, ThinkCentre and ThinkStation products should update the Intel Management Engine (ME) Firmware
  • ThinkServer products should update the Base Management Controller (BMC) firmware
  • LenovoEMC should update the Lifeline software
  • Software applications should update to the recommended version

**Update 9/24/15 :**It has come to our attention that the initial ThinkServer BMC fixes for POODLE were incomplete and did not disable SSLv3 on certain services. Please update to the latest ThinkServer BMC version listed below to address this issue.

Product Impact