Temporary Lenovo XClarity Administrator (LXCA) credentials may be exposed - Lenovo Support US

Lenovo Security Advisory: LEN-10605

Potential Impact: Disclosure of temporary software-defined administrator credentials for LXCA by a non-privileged user

Severity: High

**Scope of Impact:**Lenovo specific

**CVE Identifier:**CVE-2016-8221

Summary Description:

During an internal security review, Lenovo identified a vulnerability in Lenovo XClarity Administrator (LXCA). It was determined that in the specific case when LXCA is used to manage rack switches or chassis with embedded input/output modules (IOMs), certain log files may contain passwords for internal administrative LXCA accounts with temporary passwords that are used only internally by LXCA code. As a result, an LXCA user without administrative privileges could log in to the LXCA system, download the log files, discover the temporary administrative password, and thereby gain access with elevated privileges to the LXCA system and to its managed hardware.

Lenovo XClarity Administrator is a centralized, resource-management solution for Lenovo server systems and solutions.

Mitigation Strategy for Customers (what you should do to protect yourself):

Update to the latest version of LXCA, version 1.2.0 or later available here.

Revision History:

Revision

|

Date

|

Description

—|—|—

1.0

|

10/13/2016

|

Initial release

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on as “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.