Attacker with Access to LXCA Filesystem Could Access Local LXCA Account Credentials and LXCA Authenticated Command Injection - us

Lenovo Security Advisory: LEN-16333

Potential Impact: An attacker who obtains access to the location where the LXCA file system is stored could access credentials of local LXCA accounts and Privilege escalation by an authenticated user

Severity: Medium to High

**Scope of Impact:**Lenovo Specific

**CVE Identifier:**CVE-2017-3763, CVE-2017-3770

Summary Description:

During an internal assessment, two vulnerabilities were discovered in the Lenovo XClarity Administrator (LXCA) management tool.

1. CVE-2017-3763

An attacker who obtains access to the location where the LXCA file system is stored may be able to access credentials of local LXCA accounts.

When local users are created in the Lenovo XClarity Administrator (LXCA) management tool, LXCA manages and stores their account information in a local LDAP server on the LXCA image. All LDAP data is stored on the disk that is included with the LXCA image. This data includes all local LDAP user passwords and any passwords in the users’ histories, which are normally secured by hashing them before storing them on disk. It was discovered that these password values are encoded, but they are not hashed.

The encoded password values are stored in a location on the disk that is normally not accessible to a user in any way. Local shell access is disabled by default on the LXCA image, and the LDAP file data is not exposed by any application on the network. However, if an LXCA administrator discovered a means to access the LXCA filesystem, then the root user would be able to access the LDAP file data and decode the passwords of any local LXCA LDAP users.

1. CVE-2017-3770

A privilege escalation vulnerability was discovered in LXCA where an authenticated user may be able to abuse certain web interface functionality to execute privileged commands within the underlying LXCA operating system.

Lenovo XClarity Administrator is a centralized, resource-management solution for Lenovo server systems and solutions.

Mitigation Strategy for Customers (what you should do to protect yourself):

Update LXCA to the latest version 1.3.2 or later.

For a complete list of all Lenovo Product Security Advisories, click here.

Revision History:

Revision

|

Date

|

Description

—|—|—

1

|

09/21/2017

|

Initial release

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on as “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.