Lenovo Security Advisory
Number: AV18-010
Date: 16 January 2018
Purpose
The purpose of this advisory is to bring attention to a security advisory for Lenovo, IBM RackSwitch and BladeCenter Products.
Assessment
Lenovo has released a security advisory to address a vulnerability known as “HP Backdoor” which could allow an unauthenticated remote user to bypass authentication and gain administrative privileges on a targeted device.
Affected Products:
- Lenovo Flex System Fabric CN4093 10Gb Converged Scalable Switch
- Lenovo Flex System Fabric EN4093R 10Gb Scalable Switch
- Lenovo Flex System Fabric SI4093 10Gb System Interconnect Module
- Lenovo Flex System SI4091 System Interconnect Module
- Lenovo Rack Switch G8272-CNOS
- Lenovo RackSwitch G8332-CNOS
- Lenovo RackSwitch G7028 (ThinkAgile CX2200)
- Lenovo RackSwitch G7052 (ThinkAgile CX4200/CX4600)
- Lenovo RackSwitch G8052
- Lenovo RackSwitch G8124E (ThinkAgile CX2200)
- Lenovo RackSwitch G8264
- Lenovo RackSwitch G8264CS
- Lenovo RackSwitch G8272 (ThinkAgile CX4200/CX4600)
- Lenovo RackSwitch G8296
- Lenovo RackSwitch G8296-CNOS
- Lenovo RackSwitch G8332
- IBM Flex System™ Fabric EN4093/EN4093R 10Gb Scalable Switch
- IBM Flex System™ Fabric CN4093 10Gb Converged Scalable Switch
- IBM Flex System™ Fabric SI4093 10Gb System Interconnect Module
- IBM Flex System EN2092 1Gb Ethernet Scalable Switch
- IBM 1G L2-7 SLB switch for Bladecenter
- IBM BladeCenter Virtual Fabric 10Gb Switch Module
- IBM Bladecenter 1:10G Uplink Ethernet switch Module
- IBM BladeCenter Layer 2/3 Copper Ethernet Switch Module
- IBM RackSwitch G8264CS
- IBM RackSwitch G8264
- IBM RackSwitch G8052
- IBM Rackswitch G8332
- IBM RackSwitch G8124E
- IBM RackSwitch G8264T
- IBM RackSwitch G8316
- IBM RackSwitch G8124
CVE Reference: CVE-2017-3765
Suggested action
CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.
References
https://support.lenovo.com/ca/en/product_security/len-16095
Note to Readers
In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.
Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt
For general information, please contact Public Safety Canada's Public Affairs division at:
Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca
- Date modified: