Vulnerability Description
The ThinkServer System Manager (TSM) Baseboard Management Controller before firmware 1.27.73476 for ThinkServer RD350, RD450, RD550, RD650, and TD350 does not validate server certificates during an "encrypted remote KVM session," which allows man-in-the-middle attackers to spoof servers.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lenovo | Thinkserver System Manager Baseboard Management Controller Firmware | 118.71532 |
| Lenovo | Thinkserver Rd350 | - |
| Lenovo | Thinkserver Rd450 | - |
| Lenovo | Thinkserver Rd550 | - |
| Lenovo | Thinkserver Rd650 | - |
| Lenovo | Thinkserver Td350 | - |
Related Weaknesses (CWE)
References
- http://support.lenovo.com/us/en/product_security/tsm_weak_pwPatchVendor Advisory
- http://www.securityfocus.com/bid/74199
- http://support.lenovo.com/us/en/product_security/tsm_weak_pwPatchVendor Advisory
- http://www.securityfocus.com/bid/74199
FAQ
What is CVE-2015-3324?
CVE-2015-3324 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The ThinkServer System Manager (TSM) Baseboard Management Controller before firmware 1.27.73476 for ThinkServer RD350, RD450, RD550, RD650, and TD350 does not validate server certificates during an "e...
How severe is CVE-2015-3324?
CVE-2015-3324 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2015-3324?
Check the references section above for vendor advisories and patch information. Affected products include: Lenovo Thinkserver System Manager Baseboard Management Controller Firmware, Lenovo Thinkserver Rd350, Lenovo Thinkserver Rd450, Lenovo Thinkserver Rd550, Lenovo Thinkserver Rd650.