Vulnerabilities

A potential vulnerability in the SMI callback function used in the Legacy USB driver using boot services structure in runtime phase in some Lenovo ThinkPad models may allow arbitrary code execution.

An internal product security audit discovered a session handling vulnerability in the web interface of ThinkAgile CP-SB (Storage Block) BMC in firmware versions prior to 1908.M. This vulnerability allows session IDs to be reused, which could provide unauthorized access to the BMC under certain circumstances. This vulnerability does not affect ThinkSystem XCC, System x IMM2, or other BMCs.

A denial of service vulnerability was reported in Lenovo System Update versions prior to 5.07.0088 that could allow configuration files to be written to non-standard locations.

A stored CSV Injection vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to store malformed data in LXCA Jobs and Event Log data, that could result in crafted formulas stored in an exported CSV file. The crafted formula is not executed on LXCA itself.

A reflected cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow a crafted URL, if visited, to cause JavaScript code to be executed in the user's web browser. The JavaScript code is not executed on LXCA itself.

A stored cross-site scripting (XSS) vulnerability was reported in Lenovo XClarity Administrator (LXCA) versions prior to 2.5.0 that could allow an administrative user to cause JavaScript code to be stored in LXCA which may then be executed in the user's web browser. The JavaScript code is not executed on LXCA itself.

An XML External Entity (XXE) processing vulnerability was reported in Lenovo XClarity Administrator (LXCA) prior to version 2.5.0 , Lenovo XClarity Integrator (LXCI) for Microsoft System Center prior to version 7.7.0, and Lenovo XClarity Integrator (LXCI) for VMWare vCenter prior to version 6.1.0 that could allow information disclosure.

A vulnerability reported in Lenovo Solution Center version 03.12.003, which is no longer supported, could allow log files to be written to non-standard locations, potentially leading to privilege escalation. Lenovo ended support for Lenovo Solution Center and recommended that customers migrate to Lenovo Vantage or Lenovo Diagnostics in April 2018.

A vulnerability was reported in various BIOS versions of older ThinkPad systems that could allow a user with administrative privileges or physical access the ability to update the Embedded Controller with unsigned firmware.

A DLL search path vulnerability was reported in PaperDisplay Hotkey Service version 1.2.0.8 that could allow privilege escalation. Lenovo has ended support for PaperDisplay Hotkey software as the Night light feature introduced in Windows 10 Build 1703 provides similar features.

A vulnerability reported in Lenovo Service Bridge before version 4.1.0.1 could allow unencrypted downloads over FTP.

A vulnerability reported in Lenovo Service Bridge before version 4.1.0.1 could allow remote code execution.

A vulnerability reported in Lenovo Service Bridge before version 4.1.0.1 could allow remote code execution.

A vulnerability reported in Lenovo Service Bridge before version 4.1.0.1 could allow cross-site request forgery.

A denial of service vulnerability was reported in Lenovo System Update before version 5.07.0084 that could allow service log files to be written to non-standard locations.

An internal product security audit of Lenovo XClarity Administrator (LXCA) discovered HTTP proxy credentials being written to a log file in clear text. This only affects LXCA when HTTP proxy credentials have been configured. This affects LXCA versions 2.0.0 to 2.3.x.

In various firmware versions of Lenovo System x, the integrated management module II (IMM2)'s first failure data capture (FFDC) includes the web server's private key in the generated log file for support.

In Lenovo systems, SMM BIOS Write Protection is used to prevent writes to SPI Flash. While this provides sufficient protection, an additional layer of protection is provided by SPI Protected Range Registers (PRx). Lenovo was notified that after resuming from S3 sleep mode in various versions of BIOS for Lenovo systems, the PRx is not set. This does not impact the SMM BIOS Write Protection, which keeps systems protected.

A DLL search path vulnerability was reported in Lenovo Bootable Generator, prior to version Mar-2019, that could allow a malicious user with local access to execute code on the system.

In versions prior to 5.5, LXCI for VMware allows an authenticated user to download any system file due to insufficient input sanitization during file downloads.

In versions prior to 5.5, LXCI for VMware allows an authenticated user to write to any system file due to insufficient sanitization during the upload of a backup file.

LXCI for VMware versions prior to 5.5 and LXCI for Microsoft System Center versions prior to 3.5, allow an authenticated user to write to any system file due to insufficient sanitization during the upload of a certificate.

In System Management Module (SMM) versions prior to 1.06, a field in the header of SMM firmware update images is insufficiently sanitized, allowing post-authentication command injection on the SMM as the root user.

In System Management Module (SMM) versions prior to 1.06, the SMM certificate creation and parsing logic is vulnerable to post-authentication command injection.

In System Management Module (SMM) versions prior to 1.06, an internal SMM function that retrieves configuration settings is prone to a buffer overflow.

In System Management Module (SMM) versions prior to 1.06, if an attacker manages to log in to the device OS, the validation of software updates can be circumvented.

In System Management Module (SMM) versions prior to 1.06, the SMM web interface for changing Enclosure VPD fails to sufficiently sanitize all input for HTML tags, possibly opening a path for cross-site scripting.

In System Management Module (SMM) versions prior to 1.06, the SMM records hashed passwords to a debug log when user authentication fails.

In System Management Module (SMM) versions prior to 1.06, the SMM contains weak default root credentials which could be used to log in to the device OS -- if the attacker manages to enable SSH or Telnet connections via some other vulnerability.

In System Management Module (SMM) versions prior to 1.06, the FFDC feature includes the collection of SMM system files containing sensitive information; notably, the SMM user account credentials and the system shadow file.

In System Management Module (SMM) versions prior to 1.06, the SMM certificate creation and parsing logic is vulnerable to several buffer overflows.

A write protection lock bit was left unset after boot on an older generation of Lenovo and IBM System x servers, potentially allowing an attacker with administrator access to modify the subset of flash memory containing Intel Server Platform Services (SPS) and the system Flash Descriptors.

Lenovo Chassis Management Module (CMM) prior to version 2.0.0 utilizes a hardcoded encryption key to protect certain secrets. Possession of the key can allow an attacker that has already compromised the server to decrypt these secrets.

Lenovo Chassis Management Module (CMM) prior to version 2.0.0 allows unauthenticated users to retrieve information related to the current authentication configuration settings. Exposed settings relate to password lengths, expiration, and lockout configuration.

In some Lenovo ThinkServer-branded servers, a command injection vulnerability exists in the BMC firmware download command. This allows a privileged user to download and execute arbitrary code inside the BMC. This can only be exploited by authorized privileged users.