Details of VAR-201504-0449

ID

VAR-201504-0449

CVE

CVE-2015-3322

TITLE

plural Lenovo ThinkServer Vulnerability in product password decryption

Trust: 0.8

sources: JVNDB: JVNDB-2015-002387

DESCRIPTION

Lenovo ThinkServer RD350, RD450, RD550, RD650, and TD350 servers before 1.26.0 use weak encryption to store (1) user and (2) administrator BIOS passwords, which allows attackers to decrypt the passwords via unspecified vectors. The Lenovo ThinkServer RD350, RD450, RD550, RD650 and TD350 are all rack-mounted server products from Lenovo. An attacker could exploit the vulnerability to crack a password. Multiple Lenovo products are prone to a BIOS password encryption weakness. A security vulnerability exists in several Lenovo ThinkServer product servers. The following products are affected: Lenovo ThinkServer RD350 prior to 1.26.0, RD450 prior to 1.26.0, RD550 prior to 1.26.0, RD650 prior to 1.26.0, TD350 prior to 1.26.0

Trust: 2.52

sources: NVD: CVE-2015-3322 // JVNDB: JVNDB-2015-002387 // CNVD: CNVD-2015-02718 // BID: 74198 // VULHUB: VHN-81283

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-02718

AFFECTED PRODUCTS

vendor:	lenovo	model:	thinkserver td350	scope:	lt	version:	1.26.0	Trust: 1.4
vendor:	lenovo	model:	thinkserver rd650	scope:	lt	version:	1.26.0	Trust: 1.4
vendor:	lenovo	model:	thinkserver rd550	scope:	lt	version:	1.26.0	Trust: 1.4
vendor:	lenovo	model:	thinkserver rd450	scope:	lt	version:	1.26.0	Trust: 1.4
vendor:	lenovo	model:	thinkserver rd350	scope:	lt	version:	1.26.0	Trust: 1.4
vendor:	lenovo	model:	thinkserver rd350	scope:	eq	version:	*	Trust: 1.0
vendor:	lenovo	model:	thinkserver rd450	scope:	lte	version:	1.25.0	Trust: 1.0
vendor:	lenovo	model:	thinkserver rd550	scope:	lte	version:	1.25.0	Trust: 1.0
vendor:	lenovo	model:	thinkserver rd650	scope:	lte	version:	1.25.0	Trust: 1.0
vendor:	lenovo	model:	thinkserver rd650	scope:	eq	version:	*	Trust: 1.0
vendor:	lenovo	model:	thinkserver td350	scope:	lte	version:	1.25.0	Trust: 1.0
vendor:	lenovo	model:	thinkserver rd450	scope:	eq	version:	*	Trust: 1.0
vendor:	lenovo	model:	thinkserver td350	scope:	eq	version:	*	Trust: 1.0
vendor:	lenovo	model:	thinkserver rd350	scope:	lte	version:	1.25.0	Trust: 1.0
vendor:	lenovo	model:	thinkserver rd550	scope:	eq	version:	*	Trust: 1.0
vendor:	lenovo	model:	thinkserver rd350	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkserver rd450	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkserver rd550	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkserver rd650	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkserver td350	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	thinkserver rd350	scope:	eq	version:	1.25.0	Trust: 0.6
vendor:	lenovo	model:	thinkserver rd550	scope:	eq	version:	1.25.0	Trust: 0.6
vendor:	lenovo	model:	thinkserver rd450	scope:	eq	version:	1.25.0	Trust: 0.6
vendor:	lenovo	model:	thinkserver rd650	scope:	eq	version:	1.25.0	Trust: 0.6
vendor:	lenovo	model:	thinkserver td350	scope:	eq	version:	1.25.0	Trust: 0.6
vendor:	lenovo	model:	thinkserver td350	scope:	eq	version:	1.25	Trust: 0.3
vendor:	lenovo	model:	thinkserver rd650	scope:	eq	version:	1.25	Trust: 0.3
vendor:	lenovo	model:	thinkserver rd550	scope:	eq	version:	1.25	Trust: 0.3
vendor:	lenovo	model:	thinkserver rd450	scope:	eq	version:	1.25	Trust: 0.3
vendor:	lenovo	model:	thinkserver rd350	scope:	eq	version:	1.25	Trust: 0.3
vendor:	lenovo	model:	thinkserver td350	scope:	ne	version:	1.26	Trust: 0.3
vendor:	lenovo	model:	thinkserver rd650	scope:	ne	version:	1.26	Trust: 0.3
vendor:	lenovo	model:	thinkserver rd550	scope:	ne	version:	1.26	Trust: 0.3
vendor:	lenovo	model:	thinkserver rd450	scope:	ne	version:	1.26	Trust: 0.3
vendor:	lenovo	model:	thinkserver rd350	scope:	ne	version:	1.26	Trust: 0.3

sources: CNVD: CNVD-2015-02718 // BID: 74198 // JVNDB: JVNDB-2015-002387 // CNNVD: CNNVD-201504-371 // NVD: CVE-2015-3322

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-3322
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-3322
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-02718
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201504-371
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-81283
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-3322
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-02718
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-81283
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2015-02718 // VULHUB: VHN-81283 // JVNDB: JVNDB-2015-002387 // CNNVD: CNNVD-201504-371 // NVD: CVE-2015-3322

PROBLEMTYPE DATA

problemtype:

CWE-310

Trust: 1.9

sources: VULHUB: VHN-81283 // JVNDB: JVNDB-2015-002387 // NVD: CVE-2015-3322

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201504-371

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201504-371

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-002387

PATCH

title:	LEN-2015-018	url:	http://support.lenovo.com/us/en/product_security/ts_bios_pw	Trust: 0.8
title:	Patches for multiple vulnerabilities in several Lenovo ThinkServer product servers	url:	https://www.cnvd.org.cn/patchInfo/show/57753	Trust: 0.6

sources: CNVD: CNVD-2015-02718 // JVNDB: JVNDB-2015-002387

EXTERNAL IDS

db:	NVD	id:	CVE-2015-3322	Trust: 3.4
db:	BID	id:	74198	Trust: 1.4
db:	JVNDB	id:	JVNDB-2015-002387	Trust: 0.8
db:	CNNVD	id:	CNNVD-201504-371	Trust: 0.7
db:	CNVD	id:	CNVD-2015-02718	Trust: 0.6
db:	VULHUB	id:	VHN-81283	Trust: 0.1

sources: CNVD: CNVD-2015-02718 // VULHUB: VHN-81283 // BID: 74198 // JVNDB: JVNDB-2015-002387 // CNNVD: CNNVD-201504-371 // NVD: CVE-2015-3322

REFERENCES

url:	https://support.lenovo.com/us/en/product_security/ts_bios_pw	Trust: 2.6
url:	http://www.securityfocus.com/bid/74198	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-3322	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-3322	Trust: 0.8
url:	http://www.lenovo.com/ca/en/	Trust: 0.3

sources: CNVD: CNVD-2015-02718 // VULHUB: VHN-81283 // BID: 74198 // JVNDB: JVNDB-2015-002387 // CNNVD: CNNVD-201504-371 // NVD: CVE-2015-3322

CREDITS

Lenovo

Trust: 0.3

sources: BID: 74198

SOURCES

db:	CNVD	id:	CNVD-2015-02718
db:	VULHUB	id:	VHN-81283
db:	BID	id:	74198
db:	JVNDB	id:	JVNDB-2015-002387
db:	CNNVD	id:	CNNVD-201504-371
db:	NVD	id:	CVE-2015-3322

LAST UPDATE DATE

2024-11-23T23:12:43.346000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2015-02718	date:	2015-04-24T00:00:00
db:	VULHUB	id:	VHN-81283	date:	2017-01-18T00:00:00
db:	BID	id:	74198	date:	2015-03-24T00:00:00
db:	JVNDB	id:	JVNDB-2015-002387	date:	2015-04-21T00:00:00
db:	CNNVD	id:	CNNVD-201504-371	date:	2015-04-17T00:00:00
db:	NVD	id:	CVE-2015-3322	date:	2024-11-21T02:29:09.507

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2015-02718	date:	2015-04-24T00:00:00
db:	VULHUB	id:	VHN-81283	date:	2015-04-16T00:00:00
db:	BID	id:	74198	date:	2015-03-24T00:00:00
db:	JVNDB	id:	JVNDB-2015-002387	date:	2015-04-21T00:00:00
db:	CNNVD	id:	CNNVD-201504-371	date:	2015-04-17T00:00:00
db:	NVD	id:	CVE-2015-3322	date:	2015-04-16T23:59:03.557