Lucene search

[email protected]CVE-2018-9075

HistorySep 28, 2018 - 8:29 p.m.

CVE-2018-9075

2018-09-2820:29:00

CWE-78

[email protected]

web.nvd.nist.gov

cve-2018-9075

command injection

iomega

lenovo

nas devices

security vulnerability

nvd

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.3%

JSON

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when joining a PersonalCloud setup, an attacker can craft a command injection payload using backtick “``” characters in the client:password parameter. As a result, arbitrary commands may be executed as the root user. The attack requires a value __c and iomega parameter.

Affected configurations

NVD

Node

lenovolenovoemc_firmwareRange≤4.1.402.34662

AND

lenovoiomega_ez_media_\&_backup_centerMatch-

lenovoiomega_storcenter_ix2Match-

lenovoiomega_storcenter_ix2-dlMatch-

lenovoiomega_storcenter_ix4-300dMatch-

lenovoiomega_storcenter_px12-400rMatch-

lenovoiomega_storcenter_px12-450rMatch-

lenovoiomega_storcenter_px2-300dMatch-

lenovoiomega_storcenter_px4-300dMatch-

lenovoiomega_storcenter_px4-300rMatch-

lenovoiomega_storcenter_px6-300dMatch-

lenovolenovo_ez_media_\&_backup_centerMatch-

lenovolenovo_ix2Match-

lenovolenovo_ix4-300dMatch-

lenovolenovoemc_px12-400rMatch-

lenovolenovoemc_px12-450rMatch-

lenovolenovoemc_px2-300dMatch-

lenovolenovoemc_px4-300dMatch-

lenovolenovoemc_px4-300rMatch-

lenovolenovoemc_px4-400dMatch-

lenovolenovoemc_px4-400rMatch-

lenovolenovoemc_px6-300dMatch-

CPENameOperatorVersion
lenovo:lenovoemc_firmwarelenovo lenovoemc firmwarele4.1.402.34662

CPE	Name	Operator	Version
lenovo:lenovoemc_firmware	lenovo lenovoemc firmware	le	4.1.402.34662

CNA Affected

[
  {
    "product": "Iomega StorCenter",
    "vendor": "Lenovo Group LTD",
    "versions": [
      {
        "lessThanOrEqual": "4.1.402.34662",
        "status": "affected",
        "version": "4.1.402.34662",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "LenovoEMC",
    "vendor": "Lenovo Group LTD",
    "versions": [
      {
        "lessThanOrEqual": "4.1.402.34662",
        "status": "affected",
        "version": "4.1.402.34662",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "EZ Media and Backup Center",
    "vendor": "Lenovo Group LTD",
    "versions": [
      {
        "lessThanOrEqual": "4.1.402.34662",
        "status": "affected",
        "version": "4.1.402.34662",
        "versionType": "custom"
      }
    ]
  }
]

References

support.lenovo.com/us/en/solutions/LEN-24224

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.3%

JSON

Related for CVE-2018-9075

nvd1 prion1 cvelist1 lenovo2 threatpost1