Credential disclosure in LXCA log files - Lenovo Support US

Lenovo Security Advisory: LEN-11635

Potential Impact: Disclosure of credentials to a non-privileged user

Severity: High

**Scope of Impact:**Lenovo-specific

**CVE Identifier:**CVE-2016-8233

Summary Description:

During an internal security review, log files generated by Lenovo XClarity Administrator (LXCA) were found to contain user credential information in a non-secure, clear text form that could be viewed by a non-privileged user. Lenovo XClarity Administrator is a centralized, resource-management solution for Lenovo server systems and solutions.

The log files generated may include:

- SSH password

- SNMPv3 authentication password

- SNMPv3 privacy password

- Switch ‘enable’ password

- A configured recovery password used to manage a chassis within the LXCA

- The network proxy password

- The managed endpoint login credentials

- Under certain configurations, the login credentials of the managed operating system

- Username and password of a configured proxy server

Mitigation Strategy for Customers (what you should do to protect yourself):

Update to the latest version of LXCA to 1.2.2 or later available here.

Lenovo recommends that administrators change passwords on devices managed by LXCA if users that don’t otherwise have knowledge of those passwords have been granted access to LXCA.

Also, users should both clear the logs on the LXCA virtual machine and delete any LXCA-generated log files downloaded to their system drives.

The LXCA virtual machine logs can be cleared by going to Administration -> Service and Support. Then from the “Management Server Files” tab, go to “All Actions” and choose “Clear Log Files”.

For a complete list of all Lenovo Product Security Advisories, click here.

Revision History:

Revision

|

Date

|

Description

—|—|—

1.0

|

2/2/2017

|

Initial release

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on as “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.