CVE-2023-4606 in ThinkSysteminfo

Summary

by MITRE • 10/25/2023

An authenticated XCC user with Read-Only permission can change a different user’s password through a crafted API command. This affects ThinkSystem v2 and v3 servers with XCC; ThinkSystem v1 servers are not affected.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 11/15/2023

This vulnerability represents a critical authorization bypass flaw in the IBM ThinkSystem XClarity Controller (XCC) firmware versions v2 and v3, where an authenticated user with read-only permissions can manipulate user credentials through crafted API commands. The vulnerability stems from insufficient access control validation within the XCC's user management interface, specifically affecting the password change functionality that should require administrative privileges or ownership verification. The flaw allows a malicious actor with minimal privileges to escalate their access rights by modifying other users' passwords, effectively compromising the entire system's authentication framework. This issue directly violates the principle of least privilege and demonstrates a fundamental failure in the XCC's permission model implementation, where read-only users retain the ability to perform administrative actions through indirect API manipulation.

The technical exploitation of this vulnerability occurs through the XCC's RESTful API endpoints that handle user management operations, where proper authentication checks fail to validate whether the requesting user has legitimate authorization to modify another user's credentials. This flaw exists in the API request processing logic where the system does not properly verify the identity of the target user or validate that the modifying user possesses appropriate permissions for such operations. The vulnerability is particularly concerning because it affects the core authentication mechanism of the system, allowing attackers to establish persistent access by changing other users' passwords and potentially gaining full administrative control. The affected systems include ThinkSystem servers running XCC firmware versions v2 and v3, with v1 servers being unaffected due to different permission handling implementations. This vulnerability maps directly to CWE-285 (Improper Authorization) and aligns with ATT&CK technique T1078 (Valid Accounts) and T1531 (Account Access Removal) within the adversary tactics and techniques framework.

The operational impact of this vulnerability extends beyond simple credential theft, as it enables attackers to establish persistent access to enterprise data centers and cloud environments managed by ThinkSystem servers. Organizations using affected XCC versions face significant risks including unauthorized system access, data breaches, and potential lateral movement within their network infrastructure. The vulnerability affects critical infrastructure management systems where XCC serves as the primary interface for remote server management, making it a prime target for attackers seeking to compromise enterprise IT environments. System administrators may not immediately detect such attacks since the modified accounts appear to be legitimate operations, and the password change functionality is designed to be a standard administrative tool. The risk is compounded by the fact that many organizations may not regularly audit user permissions or monitor API access patterns, allowing such unauthorized activities to remain undetected for extended periods. This vulnerability demonstrates the critical importance of proper access control implementation in remote management systems and the potential for seemingly minor permission flaws to result in major security incidents. Organizations should immediately implement network segmentation, monitor API access logs for suspicious activities, and apply firmware updates to mitigate this risk while considering the broader implications for their overall security posture and compliance requirements.

Responsible

Lenovo Group Ltd.

Reservation

08/29/2023

Disclosure

10/25/2023

Moderation

accepted

CPE

ready

EPSS

0.00458

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!