BDU:2025-00194

Опубликовано: 09 июл. 2024

Источник: fstec

CVSS3: 7.2

CVSS2: 9

EPSS Низкий

Описание

Уязвимость контроллера Lenovo XClarity Controller (XCC) для серверов Lenovo ThinkSystem связана с непринятием мер по нейтрализации специальных элементов. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, выполнить произвольные команды с помощью специально созданных файлов

Вендор

Lenovo Group Limited

Наименование ПО

HX5530 Appliance (ThinkAgile)

HX7530 Appl for SAP HANA (ThinkAgile)

VX3331 Certified Node (ThinkAgile)

HX Enclosure Certified Node

HX1021 Edge Certified Node 3yr

HX1320 Appliance

HX1321 Certified Node

HX1331 Certified Node (ThinkAgile)

HX1520-R Appliance

HX1521-R Certified Node

HX2320-E Appliance

HX2321 Certified Node

HX2330 Appliance (ThinkAgile)

HX2331 Certified Node (ThinkAgile)

HX2720-E Appliance

HX3320 Appliance

HX3321 Certified Node

HX3330 Appliance (ThinkAgile)

HX3331 Certified Node (ThinkAgile)

HX3331 Node SAP HANA (ThinkAgile)

HX3375 Appliance

HX3376 Certified Node

HX3520-G Appliance

HX3521-G Certified Node

HX3720 Appliance

HX3721 Certified Node

HX5520 Appliance

HX5520-C Appliance

HX5521 Certified Node

HX5521-C Certified Node

HX5531 Certified Node (ThinkAgile)

HX7520 Appliance

HX7521 Certified Node

VX7531 Certified Node

HX7531 Node SAP HANA (ThinkAgile)

HX7820 Appliance

HX7821 Certified Node

MX Edge Appliance - MX1020

MX3330-F All-flash Appliance (ThinkAgile)

MX3330-H Hybrid Appliance (ThinkAgile)

MX3331-F All-flash Certified node (ThinkAgile)

MX3331-H Hybrid Certified node (ThinkAgile)

MX3530 F All flash Appliance (ThinkAgile)

MX3530-H Hybrid Appliance (ThinkAgile)

MX3531 H Hybrid Certified node (ThinkAgile)

ThinkAgile MX1021 on SE350

VX 1SE Certified Node

VX 2U4N Certified Node

VX2320

VX2330 Appliance (ThinkAgile)

VX3320

VX3330 Appliance (ThinkAgile)

VX3520-G

VX3530-G Appliance (ThinkAgile)

VX3720

VX5520

VX5530 Appliance (ThinkAgile)

VX635 V3 Integrated System (ThinkAgile)

VX645 V3 Certified Node (ThinkAgile)

VX655 V3 Certified Node (ThinkAgile)

VX655 V3 Integrated System (ThinkAgile)

VX645 V3 Integrated System (ThinkAgile)

VX665 V3 Certified Node (ThinkAgile)

VX665 V3 Integrated System (ThinkAgile)

VX7320 N

VX7330 Appliance (Thinkagile)

VX7520

VX7520 N

VX7530 Appliance (ThinkAgile)

VX7531 Certified Node (ThinkAgile)

VX7820

SE350 V2 (ThinkEdge)

SE360 V2 (ThinkEdge)

SE450

SE455 V3 (ThinkEdge)

P920 Rack Workstation

ST250 V3 (ThinkSystem)

SD530

SD630 V2 (ThinkSystem)

SD650 DWC Dual Node Tray

SD650 V2 (ThinkSystem)

SD650 V3 (ThinkSystem)

SD650-N V2 (ThinkSystem)

SD665 V3 (ThinkSystem)

SE350

SN550

SN550 V2 (ThinkSystem)

SN850

SR150

SR158

SR250

SR250 V2

SR258

SR258 V2

SR258 V3 (ThinkSystem)

SR530

SR550

SR570

SR590

SR630

SR630 V2 (ThinkSystem)

SR630 V3 (ThinkSystem)

SR635 V3 (ThinkSystem)

SR645

SR645 V3 (ThinkSystem)

SR650

SR650 V2 (ThinkSystem)

SR650 V3 (ThinkSystem)

SR655 V3 (ThinkSystem)

SR655

SR665

SR665 V3 (ThinkSystem)

SR670

SR670 V2 (ThinkSystem)

SR675 V3 (ThinkSystem)

SR850

SR850 V2 (ThinkSystem)

SR850 V3 (ThinkSystem)

SR850P

SR860

SR860 V2 (ThinkSystem)

Lenovo ThinkSystem SR860 V3

SR950

SR950 V3 (ThinkSystem)

ST250

ST250 V2

ST258

ST258 V2

ST258 V3 (ThinkSystem)

ST550

ST650 V2 (ThinkSystem)

ST650 V3 (ThinkSystem)

ST658 V2 (ThinkSystem)

Lenovo ThinkSystem ST658 V3

Версия ПО

до 4.71 (HX5530 Appliance (ThinkAgile))

до 4.71 (HX7530 Appl for SAP HANA (ThinkAgile))

до 4.71 (VX3331 Certified Node (ThinkAgile))

до 4.11 TGBT50C (HX Enclosure Certified Node)

до 4.11 TEI3E4A (HX1021 Edge Certified Node 3yr)

до 9.97 CDI3B4B (HX1320 Appliance)

до 9.97 CDI3B4B (HX1321 Certified Node)

до 4.71 (HX1331 Certified Node (ThinkAgile))

до 9.97 CDI3B4B (HX1520-R Appliance)

до 9.97 CDI3B4B (HX1521-R Certified Node)

до 9.97 CDI3B4B (HX2320-E Appliance)

до 9.97 CDI3B4B (HX2321 Certified Node)

до 4.71 (HX2330 Appliance (ThinkAgile))

до 4.71 (HX2331 Certified Node (ThinkAgile))

до 4.11 TGBT50C (HX2720-E Appliance)

до 9.97 CDI3B4B (HX3320 Appliance)

до 9.97 CDI3B4B (HX3321 Certified Node)

до 4.71 (HX3330 Appliance (ThinkAgile))

до 4.71 (HX3331 Certified Node (ThinkAgile))

до 4.71 (HX3331 Node SAP HANA (ThinkAgile))

до 5.61 D8BT64D (HX3375 Appliance)

до 5.61 D8BT64D (HX3376 Certified Node)

до 9.97 CDI3B4B (HX3520-G Appliance)

до 9.97 CDI3B4B (HX3521-G Certified Node)

до 4.11 TGBT50C (HX3720 Appliance)

до 4.11 TGBT50C (HX3721 Certified Node)

до 9.97 CDI3B4B (HX5520 Appliance)

до 9.97 CDI3B4B (HX5520-C Appliance)

до 9.97 CDI3B4B (HX5521 Certified Node)

до 9.97 CDI3B4B (HX5521-C Certified Node)

до 4.71 (HX5531 Certified Node (ThinkAgile))

до 9.97 CDI3B4B (HX7520 Appliance)

до 9.97 CDI3B4B (HX7521 Certified Node)

до 4.71 (VX7531 Certified Node)

до 4.71 (HX7531 Node SAP HANA (ThinkAgile))

до 3.11 PSI354A (HX7820 Appliance)

до 3.11 PSI354A (HX7821 Certified Node)

до 4.11 TEI3E4A (MX Edge Appliance - MX1020)

до 4.71 (MX3330-F All-flash Appliance (ThinkAgile))

до 4.71 (MX3330-H Hybrid Appliance (ThinkAgile))

до 4.71 (MX3331-F All-flash Certified node (ThinkAgile))

до 4.71 (MX3331-H Hybrid Certified node (ThinkAgile))

до 4.71 (MX3530 F All flash Appliance (ThinkAgile))

до 4.71 (MX3530-H Hybrid Appliance (ThinkAgile))

до 4.71 (MX3531 H Hybrid Certified node (ThinkAgile))

до 4.11 TEI3E4A (ThinkAgile MX1021 on SE350)

до 4.11 TGBT50C (VX 1SE Certified Node)

до 4.11 TGBT50C (VX 2U4N Certified Node)

до 4.11 TGBT50C (HX1320 Appliance)

до 9.97 CDI3B4B (VX2320)

до 4.71 (VX2330 Appliance (ThinkAgile))

до 9.97 CDI3B4B (VX3320)

до 4.71 (VX3330 Appliance (ThinkAgile))

до 9.97 CDI3B4B (VX3520-G)

до 4.71 (VX3530-G Appliance (ThinkAgile))

до 4.11 TGBT50C (VX3720)

до 9.97 CDI3B4B (VX5520)

до 4.71 (VX5530 Appliance (ThinkAgile))

до 2.81 KAX330B (VX635 V3 Integrated System (ThinkAgile))

до 2.81 KAX330B (VX645 V3 Certified Node (ThinkAgile))

до 2.81 KAX330B (VX655 V3 Certified Node (ThinkAgile))

до 2.81 KAX330B (VX655 V3 Integrated System (ThinkAgile))

до 2.81 KAX330B (VX645 V3 Integrated System (ThinkAgile))

до 2.81 KAX330B (VX665 V3 Certified Node (ThinkAgile))

до 2.81 KAX330B (VX665 V3 Integrated System (ThinkAgile))

до 9.97 CDI3B4B (VX7320 N)

до 4.71 (VX7330 Appliance (Thinkagile))

до 9.97 CDI3B4B (VX7520)

до 9.97 CDI3B4B (VX7520 N)

до 4.71 (VX7530 Appliance (ThinkAgile))

до 4.71 (VX7531 Certified Node (ThinkAgile))

до 3.11 PSI354A (VX7820)

до 2.12 IYX324F (SE350 V2 (ThinkEdge))

до 2.12 IYX324F (SE360 V2 (ThinkEdge))

до 3.11 USX332X (SE450)

до 2.12 MBX306K (SE455 V3 (ThinkEdge))

до 9.97 CDI3B4B (P920 Rack Workstation)

до 1.12 CTX304D (ST250 V3 (ThinkSystem))

до 4.11 TGBT50C (SD530)

до 4.11 TGBT50C (SD630 V2 (ThinkSystem))

до 6.36 TEI3F4A (SD650 DWC Dual Node Tray)

до 4.11 TGBT50C (SD650 DWC Dual Node Tray)

до 4.11 TGBT50C (SD650 V2 (ThinkSystem))

до 4.11 USX342E (SD650 V3 (ThinkSystem))

до 4.11 TGBT50C (SD650-N V2 (ThinkSystem))

до 5.11 QGX330E (SD665 V3 (ThinkSystem))

до 4.11 TEI3E4A (SE350)

до 6.36 TEI3F4A (SN550)

до 4.11 TGBT50C (SN550)

до 4.11 TGBT50C (SN550 V2 (ThinkSystem))

до 6.36 TEI3F4A (SN850)

до 4.11 TGBT50C (SN850)

до 4.11 TGBT50C (SR150)

до 4.11 TGBT50C (SR158)

до 4.11 TGBT50C (SR250)

до 4.11 TGBT50C (SR250 V2)

до 4.11 TGBT50C (SR258)

до 4.11 TGBT50C (SR258 V2)

до 4.12 CTX304D (SR258 V3 (ThinkSystem))

до 9.97 CDI3B4B (SR530)

до 9.97 CDI3B4B (SR550)

до 9.97 CDI3B4B (SR570)

до 9.97 CDI3B4B (SR590)

до 9.97 CDI3B4B (SR630)

до 4.71 (SR630 V2 (ThinkSystem))

до 4.51 ESX328B (SR630 V3 (ThinkSystem))

до 2.81 KAX330B (SR635 V3 (ThinkSystem))

до 5.61 D8BT64D (SR645)

до 5.61 D8BT64D (SR645 V3 (ThinkSystem))

до 2.81 KAX330B (SR645 V3 (ThinkSystem))

до 9.97 CDI3B4B (SR650)

до 4.71 (SR650 V2 (ThinkSystem))

до 4.51 ESX328B (SR650 V2 (ThinkSystem))

до 4.51 ESX328B (SR650 V3 (ThinkSystem))

до 2.81 KAX330B (SR655 V3 (ThinkSystem))

до 5.61 D8BT64D (SR655)

до 5.61 D8BT64D (SR665)

до 5.61 D8BT64D (SR665 V3 (ThinkSystem))

до 2.81 KAX330B (SR665 V3 (ThinkSystem))

до 4.11 TEI3E4A (SR670)

до 4.11 TGBT50C (SR670 V2 (ThinkSystem))

до 5.11 QGX336E (SR675 V3 (ThinkSystem))

до 6.36 TEI3F4A (SR850)

до 4.11 TGBT50C (SR850)

до 4.11 TGBT50C (SR850 V2 (ThinkSystem))

до 1.20 USX352D (SR850 V3 (ThinkSystem))

до 4.11 TEI3E4A (SR850P)

до 6.36 TEI3F4A (SR860)

до 4.11 TGBT50C (SR860)

до 4.11 TGBT50C (SR860 V2 (ThinkSystem))

до 1.20 USX352D (Lenovo ThinkSystem SR860 V3)

до 3.11 PSI354A (SR950)

до 2.11 EBE106H (SR950 V3 (ThinkSystem))

до 4.11 TGBT50C (ST250)

до 4.11 TGBT50C (ST250 V2)

до 4.11 TGBT50C (ST258)

до 4.11 TGBT50C (ST258 V2)

до 1.12 CTX304D (ST258 V3 (ThinkSystem))

до 9.97 CDI3B4B (ST550)

до 4.11 TGBT50C (ST650 V2 (ThinkSystem))

до 4.11 USX342E (ST650 V3 (ThinkSystem))

до 4.11 TGBT50C (ST658 V2 (ThinkSystem))

до 4.11 USX342E (Lenovo ThinkSystem ST658 V3)

Тип ПО

Микропрограммный код

ПО программно-аппаратного средства

Сетевое средство

Операционные системы и аппаратные платформы

Уровень опасности уязвимости

Высокий уровень опасности (базовая оценка CVSS 2.0 составляет 9)

Высокий уровень опасности (базовая оценка CVSS 3.0 составляет 7,2)

Возможные меры по устранению уязвимости

Использование рекомендаций:

https://support.lenovo.com/vn/en/product_security/ps500634-lenovo-xclarity-controller-xcc-vulnerabilities

Статус уязвимости

Подтверждена производителем

Наличие эксплойта

Данные уточняются

Информация об устранении

Уязвимость устранена

Ссылки на источники

https://support.lenovo.com/vn/en/product_security/ps500634-lenovo-xclarity-controller-xcc-vulnerabilities

Идентификаторы других систем описаний уязвимостей

EPSS

Процентиль: 64%

0.00477

Низкий

7.2 High

CVSS3

9 Critical

CVSS2

Связанные уязвимости

CVE-2024-38511

CVSS3: 7.2

nvd

больше 1 года назад

A privilege escalation vulnerability was discovered in an upload processing functionality of XCC that could allow an authenticated XCC user with elevated privileges to perform command injection via specially crafted file uploads.

GHSA-q6hr-rj2r-76hq

CVSS3: 7.2

github

больше 1 года назад

EPSS

Процентиль: 64%

0.00477

Низкий

7.2 High

CVSS3

9 Critical

CVSS2