Details of VAR-201701-0353

ID

VAR-201701-0353

CVE

CVE-2016-8221

TITLE

Lenovo XClarity Administrator Vulnerability in which privileges are elevated

Trust: 0.8

sources: JVNDB: JVNDB-2016-006940

DESCRIPTION

Privilege Escalation in Lenovo XClarity Administrator earlier than 1.2.0, if LXCA is used to manage rack switches or chassis with embedded input/output modules (IOMs), certain log files viewable by authenticated users may contain passwords for internal administrative LXCA accounts with temporary passwords that are used internally by LXCA code. Lenovo XClarity Administrator is prone to a privilege-escalation vulnerability. An attacker can exploit this issue to to gain elevated privileges. Versions prior to Lenovo XClarity Administrator 1.2.0 are vulnerable. Lenovo XClarity Administrator (LXCA) is a set of centralized resource management solutions of China Lenovo (Lenovo). The solution supports simplified infrastructure management, faster server response, and improved Lenovo server system performance. Attackers can use this vulnerability to log in to the LXCA system, download log files, and obtain temporary management passwords and access rights to the LXCA system

Trust: 1.98

sources: NVD: CVE-2016-8221 // JVNDB: JVNDB-2016-006940 // BID: 95417 // VULHUB: VHN-97041

AFFECTED PRODUCTS

vendor:	lenovo	model:	xclarity administrator	scope:	lte	version:	1.1.1	Trust: 1.0
vendor:	lenovo	model:	xclarity administrator	scope:	eq	version:	1.1.1	Trust: 0.9
vendor:	lenovo	model:	xclarity administrator	scope:	lt	version:	1.2.0	Trust: 0.8
vendor:	lenovo	model:	xclarity administrator	scope:	eq	version:	1.1	Trust: 0.3
vendor:	lenovo	model:	xclarity administrator	scope:	eq	version:	1.0.3	Trust: 0.3
vendor:	lenovo	model:	xclarity administrator	scope:	eq	version:	1.0.1	Trust: 0.3
vendor:	lenovo	model:	xclarity administrator	scope:	ne	version:	1.2.0	Trust: 0.3

sources: BID: 95417 // JVNDB: JVNDB-2016-006940 // CNNVD: CNNVD-201701-307 // NVD: CVE-2016-8221

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2016-8221
value:	HIGH
Trust: 1.0
NVD:	CVE-2016-8221
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201701-307
value:	LOW
Trust: 0.6
VULHUB:	VHN-97041
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2016-8221
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-97041
severity:	LOW
baseScore:	1.9
vectorString:	AV:L/AC:M/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.4
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2016-8221
baseSeverity:	HIGH
baseScore:	7.0
vectorString:	CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	LOCAL
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.0
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-97041 // JVNDB: JVNDB-2016-006940 // CNNVD: CNNVD-201701-307 // NVD: CVE-2016-8221

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-97041 // JVNDB: JVNDB-2016-006940 // NVD: CVE-2016-8221

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201701-307

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201701-307

CONFIGURATIONS

sources: JVNDB: JVNDB-2016-006940

PATCH

title:	LEN-10605	url:	https://support.lenovo.com/jp/ja/product_security/LEN_10605	Trust: 0.8
title:	Lenovo XClarity Administrator Security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=66971	Trust: 0.6

sources: JVNDB: JVNDB-2016-006940 // CNNVD: CNNVD-201701-307

EXTERNAL IDS

db:	NVD	id:	CVE-2016-8221	Trust: 2.8
db:	BID	id:	95417	Trust: 1.4
db:	JVNDB	id:	JVNDB-2016-006940	Trust: 0.8
db:	CNNVD	id:	CNNVD-201701-307	Trust: 0.7
db:	VULHUB	id:	VHN-97041	Trust: 0.1

sources: VULHUB: VHN-97041 // BID: 95417 // JVNDB: JVNDB-2016-006940 // CNNVD: CNNVD-201701-307 // NVD: CVE-2016-8221

REFERENCES

url:	https://support.lenovo.com/us/en/product_security/len_10605	Trust: 2.0
url:	http://www.securityfocus.com/bid/95417	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2016-8221	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2016-8221	Trust: 0.8
url:	http://www.lenovo.com/ca/en/	Trust: 0.3

sources: VULHUB: VHN-97041 // BID: 95417 // JVNDB: JVNDB-2016-006940 // CNNVD: CNNVD-201701-307 // NVD: CVE-2016-8221

CREDITS

The vendor reported this issue.

Trust: 0.3

sources: BID: 95417

SOURCES

db:	VULHUB	id:	VHN-97041
db:	BID	id:	95417
db:	JVNDB	id:	JVNDB-2016-006940
db:	CNNVD	id:	CNNVD-201701-307
db:	NVD	id:	CVE-2016-8221

LAST UPDATE DATE

2024-11-23T22:45:47.425000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-97041	date:	2017-01-19T00:00:00
db:	BID	id:	95417	date:	2017-01-23T04:05:00
db:	JVNDB	id:	JVNDB-2016-006940	date:	2017-01-30T00:00:00
db:	CNNVD	id:	CNNVD-201701-307	date:	2017-01-13T00:00:00
db:	NVD	id:	CVE-2016-8221	date:	2024-11-21T02:59:00.797

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-97041	date:	2017-01-12T00:00:00
db:	BID	id:	95417	date:	2017-01-12T00:00:00
db:	JVNDB	id:	JVNDB-2016-006940	date:	2017-01-30T00:00:00
db:	CNNVD	id:	CNNVD-201701-307	date:	2017-01-13T00:00:00
db:	NVD	id:	CVE-2016-8221	date:	2017-01-12T22:59:00.220