Lenovo XClarity Controller (XCC) Information Disclosure Vulnerability

Lenovo XClarity Controller (XCC) Information Disclosure Vulnerability

Lenovo XClarity Controller (XCC) Information Disclosure Vulnerability

Lenovo Security Advisory: LEN-52117

Potential Impact: Information disclosure

Severity: Medium

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2021-3473

Summary Description:

An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. The FFDC service log is only generated when requested by a privileged XCC user and it is only accessible to the privileged XCC user that requested the file. The backup/restore password is not captured if the backup/restore is initiated directly from XCC.

Mitigation Strategy for Customers (what you should do to protect yourself):

Update to the Lenovo XClarity Controller (XCC) version (or higher) as recommended in the Product Impact section below.

Product Impact:

Lenovo XClarity Controller (XCC) Version 6.00 CDI370Q: https://datacentersupport.lenovo.com/us/en/downloads/ds549001

- Supports Lenovo ThinkSystem SR630, Machine Types: 7X01,7X02
- Supports Lenovo ThinkSystem SR550, Machine Types: 7X03,7X04
- Supports Lenovo ThinkSystem SR650, Machine Types: 7X05,7X06,7D5R,7Z20
- Supports Lenovo ThinkSystem SR530, Machine Types: 7X07,7X08
- Supports Lenovo ThinkSystem ST550, Machine Types: 7X09,7X10
- Supports Lenovo ThinkSystem SR590, Machine Types: 7X98,7X99
- Supports Lenovo ThinkSystem SR570, Machine Types: 7Y02,7Y03
- Supports Lenovo ThinkSystem ST558, Machine Types: 7Y15,7Y16
- Supports Lenovo ThinkAgile VX Series, Machine Types: 7Y13,7Y14,7Y93,7Y94
- Supports Lenovo ThinkAgile HX Series, Machine Types: 7X83,7X84,7Y89,7Y90,7Z04,7Z05,7Z06,7Z07
- Supports Lenovo ThinkAgile MX Certified Nodes, Machine Types: 7Z20

Lenovo XClarity Controller (XCC) Version 1.10 TGBT12Q: https://datacentersupport.lenovo.com/us/en/downloads/ds549049

- Supports Lenovo ThinkSystem SR850 V2, Machine Types: 7D31,7D32,7D33
- Supports Lenovo ThinkSystem SR860 V2, Machine Types: 7D42,7Z59,7Z60

Lenovo XClarity Controller (XCC) Version 3.20 TEI378W: https://datacentersupport.lenovo.com/us/en/downloads/ds548955

- Supports Lenovo ThinkSystem SE350, Machine Types: 7Z46,7D1X,7D27
- Supports ThinkAgile MX Certified Node on SE350, Machine Types: 7D1B, 7D2U
- Supports HX Series, Machine Types: 7D1Z,7D20,7Z29,7D2T
- Supports ThinkAgile MX1020 MX Edge Appliance (BIS), Machine Types: 7D5T
- Supports ThinkAgile MX1020 MX Edge Appliance (WW), Machine Types: 7D5S
- Supports ThinkAgile VX Series, Machine Types: 7D1Y,7D28
- Supports Lenovo ThinkSystem SR850P, Machine Types: 7D2F,7D2G,7D2H
- Supports Lenovo ThinkSystem SR670 Server, Machine Types: 7Y36, 7Y37, 7Y38, 7D4L

Lenovo XClarity Controller (XCC) Version 2.14 PSI338I: https://datacentersupport.lenovo.com/us/en/downloads/ds549192

- Supports System: Lenovo ThinkSystem SR950 Server, Machine Types: 7X12

Lenovo XClarity Controller (XCC) Version 4.40 TEI3B2P: https://datacentersupport.lenovo.com/us/en/downloads/ds549048

- Supports Lenovo ThinkSystem SR850, Machine Types: 7X18, 7X19
- Supports Lenovo ThinkSystem SR860, Machine Types: 7X69, 7X70
- Supports Lenovo ThinkSystem SD530, Machine Types: 7X21
- Supports Lenovo ThinkSystem SN550, Machine Types: 7X16
- Supports Lenovo ThinkSystem SN850, Machine Types: 7X15
- Supports Lenovo ThinkSystem ST250/ST258, Machine Types: 7Y45,7Y46,7Y47
- Supports Lenovo ThinkSystem SR150/SR158, Machine Types: 7Y54,7Y55
- Supports Lenovo ThinkSystem SR250/SR258, Machine Types: 7Y51,7Y52,7Y72,7Y73,7Y53
- Supports Lenovo ThinkAgile HX series, Machine Types: 7X82, 7Y88, 7Z03
- Supports Lenovo ThinkAgile VX series, Machine Types: 7Y11, 7Y12, 7Y92
- Supports Lenovo ThinkSystem SD650 DWC Dual Node Tray, Machine Types: 7X58

Revision History:

Revision Date Description
1 2021-04-13 Initial release

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.


Alias Id:LEN-52117
Document ID:PS500402
Original Publish Date:04/13/2021
Last Modified Date:04/13/2021