Some ThinkServer systems may be reset to default configurations during prolonged broadcast storm
Some ThinkServer systems may be reset to default configurations during prolonged broadcast storm
Some ThinkServer systems may be reset to default configurations during prolonged broadcast storm
Lenovo Security Advisory: LEN-9307
Potential Impact: Reset of TSM to defaults
Severity: High
Scope of Impact: Lenovo specific
CVE Identifier: CVE-2016-8236
Summary Description:
A vulnerability was identified on certain Lenovo ThinkServer systems where the ThinkServer System Manager (TSM) may reset to its default configuration if a prolonged broadcast storm occurs on the local area network segment that the TSM is connected to. When this occurs, the username and password will be set to the defaults and all configuration settings will be reset.
The TSM is equipped with a watchdog timer that will reboot the TSM if it detects that it has hung. If multiple reboots in quick succession are triggered by this timer, the TSM is configured to reset to defaults as a means of recovering the TSM to a baseline operational state. In this issue, this behavior was triggered by a broadcast storm that consumed TSM resources. The firmware update addresses this behavior.
Mitigation Strategy for Customers (what you should do to protect yourself):
Update your TSM to the latest level of firmware by following the links below.
| Product | Status | Minimum Fix Version |
Web Link | Last Updated |
| ThinkServer RD440 | Not Affected | - | - | 12/15/2016 |
| ThinkServer RD540 | Not Affected | - | - | 12/15/2016 |
| ThinkServer RD640 | Not Affected | - | - | 12/15/2016 |
| ThinkServer RD350 | Affected | 3.77 | http://support.lenovo.com/downloads/DS102390 | 12/15/2016 |
| ThinkServer RD450 | Affected | 3.77 | http://support.lenovo.com/downloads/DS102390 | 12/15/2016 |
| ThinkServer RD550 | Affected | 3.77 | http://support.lenovo.com/downloads/DS102390 | 12/15/2016 |
| ThinkServer RD650 | Affected | 3.77 | http://support.lenovo.com/downloads/DS102390 | 12/15/2016 |
| ThinkServer RQ940 | Not Affected | - | - | 12/15/2016 |
| ThinkServer TD340 | Not Affected | - | - | 12/15/2016 |
| ThinkServer TD350 | Affected | 3.77 | http://support.lenovo.com/downloads/DS102390 | 12/15/2016 |
| ThinkServer RQ750 | Not Affected | - | 12/15/2016 | |
| ThinkServer RS140 | Not Affected | - | 12/15/2016 | |
| ThinkServer TS140 | Not Affected | - | 12/15/2016 | |
| ThinkServer TS440 | Not Affected | - | 12/15/2016 | |
| ThinkServer TS150 | Not Affected | - | 12/15/2016 | |
| ThinkServer TS250 | Not Affected | - | 12/15/2016 | |
| ThinkServer TS450 | Not Affected | - | 12/15/2016 | |
| ThinkServer TS550 | Not Affected | - | 12/15/2016 | |
| ThinkServer TS240 | Not Affected | - | 12/15/2016 | |
| ThinkServer TS540 | Not Affected | - | 12/15/2016 | |
| ThinkServer RD340 | Not Affected | - | 12/15/2016 |
Revision History:
|
Revision |
Date |
Description |
|
1.0 |
12/15/2016 |
Initial release |
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on as “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Your feedback helps to improve the overall experience
