CVE-2024-8059
📋 TL;DR
This vulnerability exposes IPMI credentials in XCC audit logs when usernames are exactly 16 characters long. It affects Lenovo servers with XCC firmware. Attackers with access to audit logs could capture credentials for IPMI management interfaces.
💻 Affected Systems
- Lenovo servers with XCC firmware
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain administrative credentials for IPMI interfaces, enabling full system compromise, firmware modification, or persistent backdoor installation.
Likely Case
Privileged users or attackers with existing log access capture credentials, potentially escalating privileges within the management infrastructure.
If Mitigated
With proper access controls and log protection, credential exposure remains contained within authorized administrative channels.
🎯 Exploit Status
Exploitation requires access to XCC audit logs, which typically requires administrative or privileged access to the management interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: XCC firmware version 1.13.0 or later
Vendor Advisory: https://support.lenovo.com/us/en/product_security/LEN-172051
Restart Required: Yes
Instructions:
1. Download XCC firmware version 1.13.0 or later from Lenovo support site. 2. Log into XCC web interface. 3. Navigate to Firmware Update section. 4. Upload and apply the firmware update. 5. Reboot the server as prompted.
🔧 Temporary Workarounds
Change username length
allModify any IPMI account usernames to be shorter or longer than 16 characters
Use XCC web interface or IPMI tool to rename accounts: ipmitool user set name <userid> <new_username>
Restrict audit log access
allLimit access to XCC audit logs to only necessary administrative personnel
Configure XCC user permissions to restrict log viewing capabilities
🧯 If You Can't Patch
- Change all IPMI account usernames to not be exactly 16 characters long
- Implement strict access controls for XCC audit logs and monitor for unauthorized access
🔍 How to Verify
Check if Vulnerable:
Check XCC firmware version via web interface or IPMI: ipmitool mc info | grep 'Firmware Revision'Check Version:
ipmitool mc info | grep 'Firmware Revision'Verify Fix Applied:
Verify firmware version is 1.13.0 or later and check that no accounts have 16-character usernames📡 Detection & Monitoring
Log Indicators:
- Audit log entries containing IPMI credentials
- Multiple failed login attempts followed by successful logins
Network Indicators:
- Unusual IPMI traffic patterns
- Authentication requests from unexpected sources
SIEM Query:
source="xcc_audit_logs" AND (event_type="authentication" OR event_type="credential")