CVE-2020-8355 : What You Need to Know

An internal product security audit of Lenovo XClarity Administrator (LXCA) prior to version 3.1.0 discovered a vulnerability that could lead to the exposure of Windows OS credentials.

Understanding CVE-2020-8355

This CVE involves a security issue in Lenovo XClarity Administrator (LXCA) versions prior to 3.1.0, potentially exposing sensitive information.

What is CVE-2020-8355?

The vulnerability in Lenovo XClarity Administrator (LXCA) allows Windows OS credentials to be captured in the service log during managed system updates, posing a risk of unauthorized access to sensitive information.

The Impact of CVE-2020-8355

The vulnerability has a CVSS base score of 4.9, with high confidentiality impact and privileged access requirements, making it a medium severity issue.

Technical Details of CVE-2020-8355

This section provides more in-depth technical insights into the CVE-2020-8355 vulnerability.

Vulnerability Description

The vulnerability in LXCA versions prior to 3.1.0 allows the capture of Windows OS credentials in the service log during managed system updates, potentially exposing sensitive information.

Affected Systems and Versions

Product: XClarity Administrator
Vendor: Lenovo
Versions Affected: < 3.1.0

Exploitation Mechanism

Attack Complexity: Low
Attack Vector: Network
Privileges Required: High
User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None

Mitigation and Prevention

To address CVE-2020-8355, follow these mitigation and prevention strategies.

Immediate Steps to Take

Update LXCA to version 3.1.0 or later to mitigate the vulnerability.

Long-Term Security Practices

Regularly review and update security configurations.
Monitor and restrict access to sensitive logs and information.

Patching and Updates

Stay informed about security updates and patches from Lenovo for LXCA.