CVE-2015-3324 - OpenCVE

The ThinkServer System Manager (TSM) Baseboard Management Controller before firmware 1.27.73476 for ThinkServer RD350, RD450, RD550, RD650, and TD350 does not validate server certificates during an "encrypted remote KVM session," which allows man-in-the-middle attackers to spoof servers.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Lenovo	Thinkserver Rd350 Thinkserver Rd450 Thinkserver Rd550 Thinkserver Rd650 Thinkserver System Manager Baseboard Management Controller Firmware Thinkserver Td350

Configuration 1 [-]

AND

cpe:2.3:o:lenovo:thinkserver_system_manager_baseboard_management_controller_firmware:118.71532:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinkserver_rd350:-:::::::*
	cpe:2.3:h:lenovo:thinkserver_rd450:-:::::::*
	cpe:2.3:h:lenovo:thinkserver_rd550:-:::::::*
	cpe:2.3:h:lenovo:thinkserver_rd650:-:::::::*
	cpe:2.3:h:lenovo:thinkserver_td350:-:::::::*

No data.

References

Link	Providers
http://support.lenovo.com/us/en/product_security/tsm_weak_pw
http://www.securityfocus.com/bid/74199

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2015-04-16T23:00:00

Updated: 2024-08-06T05:47:57.335Z

Reserved: 2015-04-16T00:00:00

Link: CVE-2015-3324

Vulnrichment

No data.

NVD

Status : Modified

Published: 2015-04-16T23:59:05.540

Modified: 2016-12-06T02:59:55.667

Link: CVE-2015-3324

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-03-24T00:00:00", "descriptions": [{"lang": "en", "value": "The ThinkServer System Manager (TSM) Baseboard Management Controller before firmware 1.27.73476 for ThinkServer RD350, RD450, RD550, RD650, and TD350 does not validate server certificates during an \"encrypted remote KVM session,\" which allows man-in-the-middle attackers to spoof servers."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2016-12-02T20:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "74199", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/74199"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://support.lenovo.com/us/en/product_security/tsm_weak_pw"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-3324", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The ThinkServer System Manager (TSM) Baseboard Management Controller before firmware 1.27.73476 for ThinkServer RD350, RD450, RD550, RD650, and TD350 does not validate server certificates during an \"encrypted remote KVM session,\" which allows man-in-the-middle attackers to spoof servers."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "74199", "refsource": "BID", "url": "http://www.securityfocus.com/bid/74199"}, {"name": "http://support.lenovo.com/us/en/product_security/tsm_weak_pw", "refsource": "CONFIRM", "url": "http://support.lenovo.com/us/en/product_security/tsm_weak_pw"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:47:57.335Z"}, "title": "CVE Program Container", "references": [{"name": "74199", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/74199"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://support.lenovo.com/us/en/product_security/tsm_weak_pw"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-3324", "datePublished": "2015-04-16T23:00:00", "dateReserved": "2015-04-16T00:00:00", "dateUpdated": "2024-08-06T05:47:57.335Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lenovo:thinkserver_system_manager_baseboard_management_controller_firmware:118.71532:*:*:*:*:*:*:*", "matchCriteriaId": "8503502C-DE2B-4ABB-A0F5-5854AB3E4CBB", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinkserver_rd350:-:*:*:*:*:*:*:*", "matchCriteriaId": "A988370E-47F4-4DC3-91AB-025360D07160", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkserver_rd450:-:*:*:*:*:*:*:*", "matchCriteriaId": "B994FC89-D6B6-4191-BC53-A36211DE94F8", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkserver_rd550:-:*:*:*:*:*:*:*", "matchCriteriaId": "4BDCBFD8-D031-4034-AEF9-6F31CC1C5814", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkserver_rd650:-:*:*:*:*:*:*:*", "matchCriteriaId": "B2211D4D-0EB0-4E15-83D5-E94138D68284", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkserver_td350:-:*:*:*:*:*:*:*", "matchCriteriaId": "83BDBAD4-5483-4D37-A727-D5FE876FF26E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ThinkServer System Manager (TSM) Baseboard Management Controller before firmware 1.27.73476 for ThinkServer RD350, RD450, RD550, RD650, and TD350 does not validate server certificates during an \"encrypted remote KVM session,\" which allows man-in-the-middle attackers to spoof servers."}, {"lang": "es", "value": "ThinkServer System Manager (TSM) Baseboard Management Controller anterior a firmware 1.27.73476 para ThinkServer RD350, RD450, RD550, RD650, y TD350 no valida los certificados de servidores durante una 'sesi\u00f3n KVM remota codificada,' lo que permite a atacantes man-in-the-middle falsificar servidores."}], "id": "CVE-2015-3324", "lastModified": "2016-12-06T02:59:55.667", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-04-16T23:59:05.540", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "http://support.lenovo.com/us/en/product_security/tsm_weak_pw"}, {"source": "cve@mitre.org", "url": "http://www.securityfocus.com/bid/74199"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-310"}], "source": "nvd@nist.gov", "type": "Primary"}]}