Iomega and LenovoEMC NAS Vulnerability
Iomega and LenovoEMC NAS Vulnerability
Iomega and LenovoEMC NAS Vulnerability
Lenovo Security Advisory: LEN-25557
Potential Impact: Information disclosure
Severity: High
Scope of Impact: Lenovo-specific
CVE Identifier: CVE-2019-6160, CVE-2019-6178
Summary Description:
*Update 2019-08-15:
CVE-2019-6178:
An information leakage vulnerability in Iomega and LenovoEMC NAS products could allow disclosure of some device details such as Share names through the device API when Personal Cloud is enabled. This does not allow read, write, delete, or any other access to the underlying file systems and their contents.
CVE-2019-6160:
A vulnerability in Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.
Mitigation Strategy for Customers (what you should do to protect yourself):
*Update 2019-08-15: There is no patch for CVE-2019-6178. To protect your device against this vulnerability, disable Personal Cloud. If Personal Cloud is enabled, avoid using sensitive share names and only use the device on trusted networks.
CVE-2019-6160:
Update to the firmware level (or later) described for your system in the Product Impact section.
If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks.
Acknowledgement:
CVE-2019-6160: Lenovo would like to thank WhiteHat Security and Vertical Structure for reporting this issue.
CVE-2019-6178: Lenovo would like to thank Rafael Pedrero for reporting this issue.
Product Impact:
px12-350r and ix12-300r, version 4.0.24.34808: https://download.lenovo.com/lenovoemc/eu/en/app/answers/detail/a_id/23142.html
HMNHD (Home Media Network Hard Drive) Cloud Editiond, version 3.2.16.30221: https://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26791.html
StorCenter ix2-200, Cloud Edition, version 3.2.16.30221: https://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26789.html
StorCenter ix4-200d, Cloud Edition, version 3.2.16.30221: https://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26784.html
StorCenter ix2-200, version 2.1.50.30227: https://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/22318.html
StorCenter ix4-200d, version 2.1.50.30227: https://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/22315.html
StorCenter ix4-200rl, version 2.1.50.30227 : https://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/29782.html
Revision History:
Revision | Date | Description |
---|---|---|
2 | 2019-08-16 | Added CVE-2019-6178 |
1 | 2019-07-16 | Initial release |
For a complete list of all Lenovo Product Security Advisories, click here.
For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.
Your feedback helps to improve the overall experience