CVE-2017-3743

Name of the Vulnerable Software and Affected Versions Lenovo ToolsCenter Advanced Settings Utility (ASU) (affected versions not specified) Lenovo UpdateXpress System Pack Installer (UXSPI) (affected versions not specified) Lenovo Dynamic System Analysis (DSA) (affected versions not specified)

Description The issue allows other users to see the user id and clear text password used to access a second machine when a command is sent via the affected utilities. This occurs when multiple users are concurrently logged into a single system and one user is sending a command to another machine.

Recommendations For Lenovo ToolsCenter Advanced Settings Utility (ASU), consider restricting access to the utility until a fix is available. For Lenovo UpdateXpress System Pack Installer (UXSPI), avoid using the utility for commands that require authentication until the issue is resolved. For Lenovo Dynamic System Analysis (DSA), limit concurrent user access to the system when using the utility to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.