Lenovo Security Bulletin: LEN-10605
Potential impact: Non-privileged user disclosure Lxca temporary software definition administrator credentials
Impact Range: Lenovo-specific products
In an internal security review, Lenovo found a loophole in Lenovo Xclarity Administrator (LXCA). It has been determined that some log files may contain a password for an internal admin LXCA account in particular cases where the LXCA is used to manage a rack switch or chassis with an embedded input/output module (IOM), which contains temporary passwords that are used internally only by LXCA code. As a result, LXCA users without administrative privileges can log on to the LXCA system, download log files, discover temporary management passwords, and therefore access the LXCA system and its managed hardware through elevated privileges.
The Lenovo Xclarity Administrator is a centralized resource management solution for the Lenovo server System.
What measures should be taken to protect themselves:
This can be updated to the latest version of 1.2.0 or later in Lxca.
Revised version
|
Date
|
Describe
|
1
|
11/15/2016
|
Initial version
|
For the latest information, please pay attention to Lenovo's updates and announcements about your equipment and software. The information in this bulletin is provided "as is" and we do not guarantee any content. Lenovo reserves the right to change or update the notice at any time.