[SingCERT] High-Severity Vulnerability in Iomega and LenovoEMC Products

Published on Friday, 19 July 2019 15:30

Background

A high-severity vulnerability (CVE-2019-6160) was found in Iomega and LenovoEMC Network-attached Storage (NAS) products.

Affected Products

•  px12-350r and ix12-300r version 4.0.24.34808

•  Home Media Network Hard Drive (HMNHD) Cloud Edition version 3.2.16.30221

•  StorCenter ix2-200 Cloud Edition version 3.2.16.30221

•  StorCenter ix4-200d Cloud Edition version 3.2.16.30221

•  StorCenter ix2-200 version 2.1.50.30227

•  StorCenter ix4-200d version 2.1.50.30227

•  StorCenter ix4-200rl version 2.1.50.30227

Impact

Successful exploitation of the vulnerability could allow an unauthenticated attacker to access files on NAS shares via the Application Programming Interface (API).

Recommendations

Users are advised to update the firmware of the affected products to the latest version immediately.

•  px12-350r and ix12-300r - http://download.lenovo.com/lenovoemc/eu/en/app/answers/detail/a_id/23142.html

•  Home Media Network Hard Drive (HMNHD) Cloud Edition - http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26791.html

•  StorCenter ix2-200 Cloud Edition - http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26789.html

•  StorCenter ix4-200d Cloud Edition - http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26784.html

•  StorCenter ix2-200 - http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/22318.html

•  StorCenter ix4-200d - http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/22315.html

•  StorCenter ix4-200rl - http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/29782.html

If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and by using devices that are on trusted networks.

Reference

https://support.lenovo.com/sg/en/product_security/len-25557