Admins who manage servers with Lenovo’s XClarity Controller (XCC) should update the management controller for security reasons. If this doesn’t happen, attackers can target various vulnerabilities and, among other things, change users’ access rights.
Advertisement
The weak points
In a warning message The XCC developers list three security vulnerabilities (CVE-2023-4606, CVE-2023-4607, CVE-2023-4608). The threat level is obviously still pending.
For all attacks, attackers must already be authenticated. If this is the case, you can, among other things, change passwords using special API commands or execute your own commands via SQL injection. The latter is only intended to threaten ThinkSystem v2 and v3 servers.
Patch now!
Lenovo lists the affected systems and the XCC editions protected against the attacks in the warning message on.
(of)