CVE-2021-3473 : Security Advisory and Response

An internal product security audit of Lenovo XClarity Controller (XCC) discovered a vulnerability where the configuration backup/restore password may be exposed in certain circumstances.

Understanding CVE-2021-3473

This CVE pertains to a security issue found in Lenovo XClarity Controller (XCC) that could potentially leak sensitive information.

What is CVE-2021-3473?

The vulnerability in Lenovo XClarity Controller (XCC) allows the backup/restore password to be temporarily stored in an internal log buffer, potentially exposing it when a service log is generated.

The Impact of CVE-2021-3473

With a CVSS base score of 4.5, this medium-severity vulnerability could lead to the disclosure of sensitive information, especially affecting confidentiality.

Technical Details of CVE-2021-3473

This section dives into the specific technical details of the CVE.

Vulnerability Description

If Lenovo XClarity Administrator (LXCA) is used for backup/restore, the password is temporarily stored in an internal log buffer, which could be exposed when generating an FFDC service log.

Affected Systems and Versions

Lenovo XClarity Controller (XCC) versions less than 6.00 CDI370Q, 1.10 TGBT12Q, 3.20 TEI378W, 2.14 PSI338I, and 4.40 TEI3B2P are impacted.

Exploitation Mechanism

The issue arises when using LXCA for backup/restore, potentially leading to the exposure of the password in generated service logs.

Mitigation and Prevention

Discover the necessary steps to mitigate the risks associated with CVE-2021-3473.

Immediate Steps to Take

Update XCC to the recommended version mentioned in the related Lenovo advisory (LEN-52117) to address this vulnerability.

Long-Term Security Practices

Regularly check for updates and security advisories from Lenovo to stay protected against emerging threats.

Patching and Updates

Ensure timely application of patches and updates provided by Lenovo to enhance the security of your XClarity Controller (XCC) setup.