Cyber Resilience

CVE-2021-3473

Medium

Published: 13 April 2021

Published
13 April 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
EPSS Score 0.0010 27.3th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-3473 is a medium-severity Cleartext Transmission of Sensitive Information (CWE-319) vulnerability in Lenovo Xclarity Controller. Its CVSS base score is 4.5 (Medium).

Operationally, ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

An internal product security audit of Lenovo XClarity Controller (XCC) discovered that the XCC configuration backup/restore password may be written to an internal XCC log buffer if Lenovo XClarity Administrator (LXCA) is used to perform the backup/restore. The backup/restore password…

more

typically exists in this internal log buffer for less than 10 minutes before being overwritten. Generating an FFDC service log will include the log buffer contents, including the backup/restore password if present. The FFDC service log is only generated when requested by a privileged XCC user and it is only accessible to the privileged XCC user that requested the file. The backup/restore password is not captured if the backup/restore is initiated directly from XCC.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

lenovo
xclarity controller
1.10_tgbt12q, 2.14_psi338i, 4.40_tei3b2p, 6.00_cdi370q

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-312 CWE-319

Training on secure data handling discourages cleartext storage of sensitive information.

addresses: CWE-312 CWE-319

Data action mapping can detect storage actions that leave sensitive information in cleartext.

addresses: CWE-312 CWE-319

Configuration policies can mandate secure storage methods to avoid cleartext storage of sensitive information.

addresses: CWE-312 CWE-319

Policy requires protection measures such as encryption for sensitive data stored on media, preventing cleartext exposure.

addresses: CWE-312 CWE-319

Key-management policy requires protected storage of key material, preventing cleartext storage of sensitive cryptographic keys.

addresses: CWE-319

By requiring documented security controls for information exchanges, the control reduces the risk of cleartext transmission of sensitive data.

addresses: CWE-319

Enforces safeguards against cleartext transmission of CUI when data leaves organizational boundaries to external systems.

addresses: CWE-319

Explicit controls and continuous oversight on external system services prevent cleartext transmission of sensitive information over provider-managed channels.

References