CVE-2023-4606
📋 TL;DR
This vulnerability allows authenticated users with read-only permissions on Lenovo ThinkSystem servers to change other users' passwords through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC (XClarity Controller), while v1 servers are not vulnerable. The flaw enables privilege escalation from low-privilege accounts to administrative access.
💻 Affected Systems
- Lenovo ThinkSystem servers with XClarity Controller (XCC)
📦 What is this software?
Thinkagile Mx3330 F All Flash Firmware by Lenovo
View all CVEs affecting Thinkagile Mx3330 F All Flash Firmware →
Thinkagile Mx3330 H Hybrid Firmware by Lenovo
View all CVEs affecting Thinkagile Mx3330 H Hybrid Firmware →
Thinkagile Mx3331 F All Flash Firmware by Lenovo
View all CVEs affecting Thinkagile Mx3331 F All Flash Firmware →
Thinkagile Mx3331 H Hybrid Firmware by Lenovo
View all CVEs affecting Thinkagile Mx3331 H Hybrid Firmware →
Thinkagile Mx3530 F All Flash Firmware by Lenovo
View all CVEs affecting Thinkagile Mx3530 F All Flash Firmware →
Thinkagile Mx3530 H Hybrid Firmware by Lenovo
View all CVEs affecting Thinkagile Mx3530 H Hybrid Firmware →
Thinkagile Mx3531 F All Flash Firmware by Lenovo
View all CVEs affecting Thinkagile Mx3531 F All Flash Firmware →
⚠️ Risk & Real-World Impact
Worst Case
An attacker with read-only access could change administrator passwords, gain full system control, and potentially compromise the entire server infrastructure.
Likely Case
Malicious insiders or compromised low-privilege accounts escalate privileges to administrative access, enabling data theft, system modification, or lateral movement.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated incidents that can be quickly detected and contained.
🎯 Exploit Status
Exploitation requires authenticated access with read-only permissions. The vulnerability is in the API command handling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: XCC firmware updates as specified in Lenovo advisory LEN-140960
Vendor Advisory: https://support.lenovo.com/us/en/product_security/LEN-140960
Restart Required: Yes
Instructions:
1. Download the latest XCC firmware from Lenovo support site. 2. Apply firmware update through XCC web interface or command line. 3. Reboot the XCC controller to complete installation.
🔧 Temporary Workarounds
Restrict XCC API access
allLimit network access to XCC management interfaces to trusted administrative networks only.
Configure firewall rules to restrict access to XCC IP/ports (default 443/TCP)
Minimize user accounts
allRemove unnecessary read-only accounts and implement least privilege access.
Review and remove unused XCC user accounts through XCC web interface
🧯 If You Can't Patch
- Implement network segmentation to isolate XCC management interfaces from general user networks
- Enable detailed logging of XCC authentication and user management events for monitoring
🔍 How to Verify
Check if Vulnerable:
Check XCC firmware version against patched versions in Lenovo advisory LEN-140960Check Version:
Connect to XCC web interface and check firmware version under System Information, or use: ipmitool -I lanplus -H <xcc_ip> -U <user> -P <pass> fruVerify Fix Applied:
Verify XCC firmware version has been updated to patched version and test that read-only users cannot change passwords📡 Detection & Monitoring
Log Indicators:
- Unusual password change events in XCC logs
- Multiple failed authentication attempts followed by successful password changes
- User privilege escalation events
Network Indicators:
- API calls to XCC user management endpoints from non-admin accounts
- Unusual patterns of XCC authentication requests
SIEM Query:
source="xcc_logs" AND (event_type="password_change" OR event_type="user_modify") AND user_role="read-only"