Please note: This website includes an accessibility system. Press Control-F11 to adjust the website to the visually impaired who are using a screen reader; Press Control-F10 to open an accessibility menu.

Iomega and LenovoEMC NAS Vulnerability

Iomega and LenovoEMC NAS Vulnerability

Iomega and LenovoEMC NAS Vulnerability

Lenovo Security Advisory: LEN-25557

Potential Impact: Information disclosure

Severity: High

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2019-6160, CVE-2019-6178

 

Summary Description:

*Update 2019-08-15:

CVE-2019-6178:

An information leakage vulnerability in Iomega and LenovoEMC NAS products could allow disclosure of some device details such as Share names through the device API when Personal Cloud is enabled.  This does not allow read, write, delete, or any other access to the underlying file systems and their contents.

 

CVE-2019-6160:

A vulnerability in Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.

 

Mitigation Strategy for Customers (what you should do to protect yourself):

*Update 2019-08-15: There is no patch for CVE-2019-6178.  To protect your device against this vulnerability, disable Personal Cloud.  If Personal Cloud is enabled, avoid using sensitive share names and only use the device on trusted networks.

CVE-2019-6160:

Update to the firmware level (or later) described for your system in the Product Impact section.

If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks.

 

Acknowledgement:

CVE-2019-6160: Lenovo would like to thank WhiteHat Security and Vertical Structure for reporting this issue.

CVE-2019-6178: Lenovo would like to thank Rafael Pedrero for reporting this issue.

 

Product Impact:

px12-350r and ix12-300r, version 4.0.24.34808: https://download.lenovo.com/lenovoemc/eu/en/app/answers/detail/a_id/23142.html

HMNHD (Home Media Network Hard Drive) Cloud Editiond, version 3.2.16.30221: https://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26791.html

StorCenter ix2-200, Cloud Edition, version 3.2.16.30221: https://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26789.html

StorCenter ix4-200d, Cloud Edition, version 3.2.16.30221: https://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26784.html

StorCenter ix2-200, version 2.1.50.30227: https://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/22318.html

StorCenter ix4-200d, version 2.1.50.30227: https://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/22315.html

StorCenter ix4-200rl, version 2.1.50.30227 : https://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/29782.html

 

Revision History:

Revision Date Description
2 2019-08-16 Added CVE-2019-6178
1 2019-07-16 Initial release

For a complete list of all Lenovo Product Security Advisories, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.

 


Alias Id:LEN-25557
Document ID:PS500261
Original Publish Date:07/15/2019
Last Modified Date:08/16/2019