CVE-2021-3956 - Vulnerability Details - OpenCVE

Description

A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.

Published: 2022-05-18

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Lenovo

XClarity Controller (XCC)

affected

Version	Status	Constraints
`various Third Quarter 2021 releases`	affected	—

Configuration 1 [-]

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinkagile_hx1320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx1321:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx1520-r:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx1521-r:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx2320-e:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx2321:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3321:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3375:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3376:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3520-g:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx3521-g:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5520-c:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5521:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx5521-c:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx7520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx7521:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx2320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx3320:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx3520-g:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx5520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx7320_n:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx7520:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_vx7520_n:-:::::::*
	cpe:2.3:h:lenovo:thinkstation_p920:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr530:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr550:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr570:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr590:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr630:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr645:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr650:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr665:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_st550:-:::::::*

Configuration 2 [-]

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinkagile_hx7820:-:::::::*
	cpe:2.3:h:lenovo:thinkagile_hx7821:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr950:-:::::::*

Configuration 3 [-]

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinkagile_mx1021:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_se350:-:::::::*

Configuration 4 [-]

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinksystem_sd650:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sn550:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sn850:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr850:-:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr860:-:::::::*

Configuration 5 [-]

AND

cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*

OR	cpe:2.3:h:lenovo:thinksystem_sr850:2.0:::::::*
	cpe:2.3:h:lenovo:thinksystem_sr860:2.0:::::::*

No data.

No data available yet.

Remediation

Vendor Solution

Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section of LEN-72074.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2021-27165	A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports “unauthenticated bind”, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only “authenticated bind” and/or “anonymous bind” are not affected.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00183.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://support.lenovo.com/us/en/product_security/LEN-72074

History

No history.

Subscriptions

Lenovo Thinkagile Hx1320 Thinkagile Hx1321 Thinkagile Hx1520-r Thinkagile Hx1521-r Thinkagile Hx2320-e Thinkagile Hx2321 Thinkagile Hx3320 Thinkagile Hx3321 Thinkagile Hx3375 Thinkagile Hx3376 Thinkagile Hx3520-g Thinkagile Hx3521-g Thinkagile Hx5520 Thinkagile Hx5520-c Thinkagile Hx5521 Thinkagile Hx5521-c Thinkagile Hx7520 Thinkagile Hx7521 Thinkagile Hx7820 Thinkagile Hx7821 Thinkagile Mx1021 Thinkagile Vx2320 Thinkagile Vx3320 Thinkagile Vx3520-g Thinkagile Vx5520 Thinkagile Vx7320 N Thinkagile Vx7520 Thinkagile Vx7520 N Thinkstation P920 Thinksystem Sd650 Thinksystem Se350 Thinksystem Sn550 Thinksystem Sn850 Thinksystem Sr530 Thinksystem Sr550 Thinksystem Sr570 Thinksystem Sr590 Thinksystem Sr630 Thinksystem Sr645 Thinksystem Sr650 Thinksystem Sr665 Thinksystem Sr850 Thinksystem Sr860 Thinksystem Sr950 Thinksystem St550 Xclarity Controller

MITRE

Status: PUBLISHED

Assigner: lenovo

Published: 2022-05-18T16:10:24.000Z

Updated: 2024-08-03T17:09:09.619Z

Reserved: 2021-11-12T00:00:00.000Z

Link: CVE-2021-3956

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-05-18T16:15:08.063

Modified: 2024-11-21T06:23:13.527

Link: CVE-2021-3956

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-863

{"containers": {"cna": {"affected": [{"product": "XClarity Controller (XCC)", "vendor": "Lenovo", "versions": [{"status": "affected", "version": "various Third Quarter 2021 releases"}]}], "descriptions": [{"lang": "en", "value": "A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports \u201cunauthenticated bind\u201d, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only \u201cauthenticated bind\u201d and/or \u201canonymous bind\u201d are not affected."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-05-18T16:10:24.000Z", "orgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "shortName": "lenovo"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://support.lenovo.com/us/en/product_security/LEN-72074"}], "solutions": [{"lang": "en", "value": "Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section of LEN-72074."}], "source": {"advisory": "LEN-72074", "discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@lenovo.com", "ID": "CVE-2021-3956", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "XClarity Controller (XCC)", "version": {"version_data": [{"version_affected": "=", "version_value": "various Third Quarter 2021 releases"}]}}]}, "vendor_name": "Lenovo"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports \u201cunauthenticated bind\u201d, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only \u201cauthenticated bind\u201d and/or \u201canonymous bind\u201d are not affected."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-863 Incorrect Authorization"}]}]}, "references": {"reference_data": [{"name": "https://support.lenovo.com/us/en/product_security/LEN-72074", "refsource": "MISC", "url": "https://support.lenovo.com/us/en/product_security/LEN-72074"}]}, "solution": [{"lang": "en", "value": "Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section of LEN-72074."}], "source": {"advisory": "LEN-72074", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T17:09:09.619Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://support.lenovo.com/us/en/product_security/LEN-72074"}]}]}, "cveMetadata": {"assignerOrgId": "da227ddf-6e25-4b41-b023-0f976dcaca4b", "assignerShortName": "lenovo", "cveId": "CVE-2021-3956", "datePublished": "2022-05-18T16:10:24.000Z", "dateReserved": "2021-11-12T00:00:00.000Z", "dateUpdated": "2024-08-03T17:09:09.619Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "1749A9CB-1719-4CC8-8476-D06D99BB2A2F", "versionEndExcluding": "7.22_cdi382o", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1320:-:*:*:*:*:*:*:*", "matchCriteriaId": "E72B2526-8BD9-49FD-BDCF-B654BCEAC8AE", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1321:-:*:*:*:*:*:*:*", "matchCriteriaId": "ADFD8C5A-D9E0-4EFF-92A3-17A6DBE7D155", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1520-r:-:*:*:*:*:*:*:*", "matchCriteriaId": "648DD614-F500-4FFB-8FD4-D2B284FE5E55", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx1521-r:-:*:*:*:*:*:*:*", "matchCriteriaId": "D33A804F-C94C-4A6C-AA84-957834680652", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx2320-e:-:*:*:*:*:*:*:*", "matchCriteriaId": "DECFCE59-8456-47A3-8A8E-989813E37674", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx2321:-:*:*:*:*:*:*:*", "matchCriteriaId": "A5E515C4-D2F2-4A71-9A9C-70A80477352A", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3320:-:*:*:*:*:*:*:*", "matchCriteriaId": "03D3EBE9-34C1-45CA-A800-B313110409DC", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3321:-:*:*:*:*:*:*:*", "matchCriteriaId": "86E6A2F7-7EC0-46E1-A973-2172B076E883", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3375:-:*:*:*:*:*:*:*", "matchCriteriaId": "E8126219-A07C-42A6-9553-B6AE499DB6BF", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3376:-:*:*:*:*:*:*:*", "matchCriteriaId": "57D7A545-BE29-4F0B-AC77-8E6DE955CA5B", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3520-g:-:*:*:*:*:*:*:*", "matchCriteriaId": "B9D354C3-0183-42D9-97D0-C9888B023195", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx3521-g:-:*:*:*:*:*:*:*", "matchCriteriaId": "1E0DDCC8-46B7-43FA-8A4A-BCE8AB7F8480", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5520:-:*:*:*:*:*:*:*", "matchCriteriaId": "8A9FDCC0-F45C-4AA1-BB11-0761A25BF16B", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5520-c:-:*:*:*:*:*:*:*", "matchCriteriaId": "4EB95DEC-D622-4AD7-AC69-077A94BD752C", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5521:-:*:*:*:*:*:*:*", "matchCriteriaId": "924C1B4B-6E97-4942-8000-BB59860913EE", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx5521-c:-:*:*:*:*:*:*:*", "matchCriteriaId": "5788FFBD-69B4-4FB6-A2D2-4C6BA6CCE769", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7520:-:*:*:*:*:*:*:*", "matchCriteriaId": "16776C5F-CCAF-4F22-B570-FE49A0B73FF7", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7521:-:*:*:*:*:*:*:*", "matchCriteriaId": "F350D6FE-7BE1-46C9-B1A6-4EE0AF8BCB55", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx2320:-:*:*:*:*:*:*:*", "matchCriteriaId": "BF7500A0-B95E-4E16-B532-28C139C94AF3", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx3320:-:*:*:*:*:*:*:*", "matchCriteriaId": "4A8B3E93-970D-4B49-B5A6-6BFAC45BAAC4", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx3520-g:-:*:*:*:*:*:*:*", "matchCriteriaId": "72422C47-0027-4B4E-9C82-78FE8A8A6D75", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx5520:-:*:*:*:*:*:*:*", "matchCriteriaId": "704A1043-7626-412C-8666-9088B3AA1147", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx7320_n:-:*:*:*:*:*:*:*", "matchCriteriaId": "435794D6-7773-4D93-96E2-7269EB863A04", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx7520:-:*:*:*:*:*:*:*", "matchCriteriaId": "E25483F5-F222-42AF-ACA4-580CD2965C55", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_vx7520_n:-:*:*:*:*:*:*:*", "matchCriteriaId": "4C923CF1-EB97-431F-9D85-0CB5C921A040", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkstation_p920:-:*:*:*:*:*:*:*", "matchCriteriaId": "D47FCAA7-B33F-4F00-85BA-AA8ED4790572", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr530:-:*:*:*:*:*:*:*", "matchCriteriaId": "F4C6628A-8A99-4841-A7C5-0445A03C638D", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr550:-:*:*:*:*:*:*:*", "matchCriteriaId": "D10850BF-A7EA-4B84-B2EF-66DCCC301514", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr570:-:*:*:*:*:*:*:*", "matchCriteriaId": "8A7C5BE3-5429-46B0-B0B5-C86A9B6376A7", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr590:-:*:*:*:*:*:*:*", "matchCriteriaId": "A3DC615C-A88A-4C45-892F-77C5E84104E8", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr630:-:*:*:*:*:*:*:*", "matchCriteriaId": "D7F10C8D-C9C7-4FAD-980D-7A602C8BE81D", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr645:-:*:*:*:*:*:*:*", "matchCriteriaId": "DE27586B-1CC9-42A3-B763-93972E204A6D", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr650:-:*:*:*:*:*:*:*", "matchCriteriaId": "C6C2B5BB-6E1F-4E01-AAE8-A8239AB8945E", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr665:-:*:*:*:*:*:*:*", "matchCriteriaId": "1AE69184-CA94-4A27-AFF2-3B1B81D25CBA", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_st550:-:*:*:*:*:*:*:*", "matchCriteriaId": "A5B19107-5B45-4E45-8B34-90B5A1FF3962", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "6975F7A6-DBC8-42D4-B067-E397FD978F3E", "versionEndExcluding": "2.32_psi342n", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7820:-:*:*:*:*:*:*:*", "matchCriteriaId": "DA2540A2-1462-42F7-949C-9881544DE684", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinkagile_hx7821:-:*:*:*:*:*:*:*", "matchCriteriaId": "0E153D62-9443-4F52-BA47-5C2704E05BC9", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr950:-:*:*:*:*:*:*:*", "matchCriteriaId": "B6B0407D-D603-48AE-9A42-F4C68056E19D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "2D3658E6-8820-45E5-8357-7A9EB564553A", "versionEndExcluding": "3.41_tei382m", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinkagile_mx1021:-:*:*:*:*:*:*:*", "matchCriteriaId": "C24F4237-BD63-4A87-B44A-970871642E27", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_se350:-:*:*:*:*:*:*:*", "matchCriteriaId": "FD4B877C-8D19-4AD2-948D-ADBD9B1BEEED", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "97D0E172-D188-4293-BD6D-94128304F07E", "versionEndExcluding": "4.83_tei3c0n", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinksystem_sd650:-:*:*:*:*:*:*:*", "matchCriteriaId": "7A1FF5D0-CC08-42B0-9798-55ED911B3EF6", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sn550:-:*:*:*:*:*:*:*", "matchCriteriaId": "5DB64709-93BA-43D8-A1DB-4CE405291430", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sn850:-:*:*:*:*:*:*:*", "matchCriteriaId": "1DB0C393-2CB4-485F-93E2-2F28B19F9325", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr850:-:*:*:*:*:*:*:*", "matchCriteriaId": "19771143-D5F1-4F2F-AB83-09913894681E", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr860:-:*:*:*:*:*:*:*", "matchCriteriaId": "EAF08144-ECCB-477B-A934-E4578522BFEE", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lenovo:xclarity_controller:*:*:*:*:*:*:*:*", "matchCriteriaId": "E6F17BC4-421A-453D-B933-97AA7BBED79E", "versionEndExcluding": "1.51_tgbt24l", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lenovo:thinksystem_sr850:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "95893E4E-6850-4C53-A5D6-12C3B9BB0E92", "vulnerable": false}, {"criteria": "cpe:2.3:h:lenovo:thinksystem_sr860:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "E1F9CC8A-CCFA-4499-A2C8-6251EF43968D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "A read-only authentication bypass vulnerability was reported in the Third Quarter 2021 release of Lenovo XClarity Controller (XCC) firmware affecting XCC devices configured in LDAP Authentication Only Mode and using an LDAP server that supports \u201cunauthenticated bind\u201d, such as Microsoft Active Directory. An unauthenticated user can gain read-only access to XCC in such a configuration, thereby allowing the XCC device configuration to be viewed but not changed. XCC devices configured to use local authentication, LDAP Authentication + Authorization Mode, or LDAP servers that support only \u201cauthenticated bind\u201d and/or \u201canonymous bind\u201d are not affected."}, {"lang": "es", "value": "Se ha informado de una vulnerabilidad de elusi\u00f3n de autenticaci\u00f3n de solo lectura en la versi\u00f3n del tercer trimestre de 2021 del firmware de Lenovo XClarity Controller (XCC) que afecta a los dispositivos XCC configurados en el modo de solo autenticaci\u00f3n LDAP y que usan un servidor LDAP que admite \u20ac\u0153unauthenticated bind\u00e2\u20ac?, como Microsoft Active Directory. Un usuario no autenticado puede conseguir acceso de s\u00f3lo lectura al XCC en dicha configuraci\u00f3n, lo que permite visualizar la configuraci\u00f3n del dispositivo XCC pero no modificarla. Los dispositivos XCC configurados para usar la autenticaci\u00f3n local, el modo de autenticaci\u00f3n + autorizaci\u00f3n LDAP o los servidores LDAP que s\u00f3lo admiten la \"vinculaci\u00f3n autenticada\" y/o la \"vinculaci\u00f3n an\u00f3nima\" no est\u00e1n afectados"}], "id": "CVE-2021-3956", "lastModified": "2024-11-21T06:23:13.527", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "psirt@lenovo.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-18T16:15:08.063", "references": [{"source": "psirt@lenovo.com", "tags": ["Vendor Advisory"], "url": "https://support.lenovo.com/us/en/product_security/LEN-72074"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://support.lenovo.com/us/en/product_security/LEN-72074"}], "sourceIdentifier": "psirt@lenovo.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "psirt@lenovo.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}