Credentials sent through the Lenovo ToolsCenter may be exposed to local users - us

2017-06-08T00:00:00
ID LENOVO:PS500111-NOSID
Type lenovo
Reporter Lenovo
Modified 2017-06-08T00:00:00

Description

Lenovo Security Advisory: LEN-10810

Potential Impact: Sensitive information disclosure

Severity: Medium

Scope of Impact: Lenovo specific

CVE Identifier: CVE-2017-3743

Summary Description:

If multiple users are concurrently logged into a single system where one user is sending a command via the Lenovo ToolsCenter Advanced Settings Utility (ASU), UpdateXpress System Pack Installer (UXSPI) or Dynamic System Analysis (DSA) to a second machine, the other users may be able to see the user ID and clear text password that were used to access the second machine during the time the command is processing.

The Lenovo ToolsCenter is a collection of server management tools to help manage your server environment.

Mitigation Strategy for Customers (what you should do to protect yourself):

Update to version 10.2 or later for ASU, available here.

Update to version 10.3 or later for UXSPI, available here.

Update to version 10.3 or later of DSA, available here.