Lenovo Security Advisory: LEN-3846 **Potential Impact: **Disclosure of information about device Severity:Low
Summary:
An unauthenticated user may be able to view device information about the LenovoEMC device if the management interface accessible over the internet. Even with this vunerability, no data stored on the LenovoEMC device can be viewed, accessed or modified, as long as default device security is enabled.
Description:
LenovoEMC products are network-attached storage devices (NAS) that allow files to be stored and accessed over a network. If the LenovoEMC device’s management interface is accessible over the Internet, unauthenticated users may be able to view data about the device, such as machine type or firmware version, without needing a password. No data stored on this device is at risk of being exposed, as long security settings are properly configured (see here for details on properly configuring the security settings: <https://lenovo-na-en.custhelp.com/app/answers/detail/a_id/31986>
Mitigation Strategy for Customers (what you should do to protect yourself):
LenovoEMC has developed a firmware update that will prevent remote users from being able to access the information about the LenovoEMC device over the internet. The information will still be accessible if a user is on the same LAN.
To update to the latest firmware level for the LenovoEMC device, click on the link below for your device and follow the instructions.
Product Impact and update instructions:
LenovoEMC EZ Media & Backup (hm3)
|
4.1.204.33661
|
—|—|—
LenovoEMC ix2/ix2-dl
|
4.1.204.33661
|
LenovoEMC ix4-300d (inc DL)
|
4.1.204.33661
|
LenovoEMC px12-400r/450r
|
4.1.204.33661
|
LenovoEMC px6-300d
|
4.1.204.33661
|
LenovoEMC px2-300d
|
4.1.204.33661
|
LenovoEMC px4-300r
|
4.1.204.33661
|
LenovoEMC px4-400d
|
4.1.204.33661
|
LenovoEMC px4-400r
|
4.1.204.33661
|
LenovoEMC px4-300d
|
4.1.204.33661
|
LenovoEMC recommends following the best security practices from the following link to protect data stored in the device:
Security Best Practices Guidelines
Protecting your network storage device data from unauthorized access
Acknowledgements:
Lenovo would like to thank Matteo Neri (Company: Sorint.SEC) for reporting this vulnerability (CVE-2015-8108)
Other information and references:
CVE-2015-8108
Revision History:
Revision
|
Date
|
Description
—|—|—
1.0 |** 03/10/2016**|** Initial release**
if (!Lenovo.GoogleAnalytics) { document.write(‘<script src=“/bundles/GoogleAnalytics?v=4HNP0wj61s3zFRyxoiRIvSq6lP1Vhp9NBFt9_5QQZ141”></script>’); }
var ds_country_and_language = {“CurrentUrl”:“/product_security/len_3846”,“CL”:{“Countries”:{“ar”:{“Name”:“Argentina”,“Code”:“ar”,“Flag”:“flag_ar”},“au”:{“Name”:“Australia”,“Code”:“au”,“Flag”:“flag_au”},“at”:{“Name”:“Austria”,“Code”:“at”,“Flag”:“flag_at”},“bd”:{“Name”:“Bangladesh”,“Code”:“bd”,“Flag”:“flag_bd”},“by”:{“Name”:“Belarus”,“Code”:“by”,“Flag”:“flag_by”},“be”:{“Name”:“Belgium”,“Code”:“be”,“Flag”:“flag_be”},“bo”:{“Name”:“Bolivia”,“Code”:“bo”,“Flag”:“flag_bo”},“br”:{“Name”:“Brazil”,“Code”:“br”,“Flag”:“flag_br”},“bg”:{“Name”:“Bulgaria”,“Code”:“bg”,“Flag”:“flag_bg”},“ca”:{“Name”:“Canada”,“Code”:“ca”,“Flag”:“flag_ca”},“cl”:{“Name”:“Chile”,“Code”:“cl”,“Flag”:“flag_cl”},“co”:{“Name”:“Colombia”,“Code”:“co”,“Flag”:“flag_co”},“cr”:{“Name”:“Costa Rica”,“Code”:“cr”,“Flag”:“flag_cr”},“hr”:{“Name”:“Croatia”,“Code”:“hr”,“Flag”:“flag_hr”},“cy”:{“Name”:“Cyprus”,“Code”:“cy”,“Flag”:“flag_cy”},“cz”:{“Name”:“Czech Republic”,“Code”:“cz”,“Flag”:“flag_cz”},“dk”:{“Name”:“Denmark”,“Code”:“dk”,“Flag”:“flag_dk”},“do”:{“Name”:“Dominican Republic”,“Code”:“do”,“Flag”:“flag_do”},“ec”:{“Name”:“Ecuador”,“Code”:“ec”,“Flag”:“flag_ec”},“eg”:{“Name”:“Egypt”,“Code”:“eg”,“Flag”:“flag_eg”},“sv”:{“Name”:“El Salvador”,“Code”:“sv”,“Flag”:“flag_sv”},“fi”:{“Name”:“Finland”,“Code”:“fi”,“Flag”:“flag_fi”},“fr”:{“Name”:“France”,“Code”:“fr”,“Flag”:“flag_fr”},“de”:{“Name”:“Germany”,“Code”:“de”,“Flag”:“flag_de”},“gr”:{“Name”:“Greece”,“Code”:“gr”,“Flag”:“flag_gr”},“gt”:{“Name”:“Guatemala”,“Code”:“gt”,“Flag”:“flag_gt”},“hn”:{“Name”:“Honduras”,“Code”:“hn”,“Flag”:“flag_hn”},“hk”:{“Name”:“Hong Kong”,“Code”:“hk”,“Flag”:“flag_hk”},“hu”:{“Name”:“Hungary”,“Code”:“hu”,“Flag”:“flag_hu”},“in”:{“Name”:“India”,“Code”:“in”,“Flag”:“flag_in”},“id”:{“Name”:“Indonesia”,“Code”:“id”,“Flag”:“flag_id”},“ie”:{“Name”:“Ireland”,“Code”:“ie”,“Flag”:“flag_ie”},“il”:{“Name”:“Israel”,“Code”:“il”,“Flag”:“flag_il”},“it”:{“Name”:“Italy”,“Code”:“it”,“Flag”:“flag_it”},“jp”:{“Name”:“Japan”,“Code”:“jp”,“Flag”:“flag_jp”},“kr”:{“Name”:“Korea”,“Code”:“kr”,“Flag”:“flag_kr”},“lu”:{“Name”:“Luxembourg”,“Code”:“lu”,“Flag”:“flag_lu”},“my”:{“Name”:“Malaysia”,“Code”:“my”,“Flag”:“flag_my”},“mx”:{“Name”:“Mexico”,“Code”:“mx”,“Flag”:“flag_mx”},“mn”:{“Name”:“Mongolia”,“Code”:“mn”,“Flag”:“flag_mn”},“ma”:{“Name”:“Morocco”,“Code”:“ma”,“Flag”:“flag_ma”},“nl”:{“Name”:“Netherlands”,“Code”:“nl”,“Flag”:“flag_nl”},“nz”:{“Name”:“New Zealand”,“Code”:“nz”,“Flag”:“flag_nz”},“ni”:{“Name”:“Nicaragua”,“Code”:“ni”,“Flag”:“flag_ni”},“ng”:{“Name”:“Nigeria”,“Code”:“ng”,“Flag”:“flag_ng”},“no”:{“Name”:“Norway”,“Code”:“no”,“Flag”:“flag_no”},“pa”:{“Name”:“Panama”,“Code”:“pa”,“Flag”:“flag_pa”},“py”:{“Name”:“Paraguay”,“Code”:“py”,“Flag”:“flag_py”},“pe”:{“Name”:“Peru”,“Code”:“pe”,“Flag”:“flag_pe”},“ph”:{“Name”:“Philippines”,“Code”:“ph”,“Flag”:“flag_ph”},“pl”:{“Name”:“Poland”,“Code”:“pl”,“Flag”:“flag_pl”},“pt”:{“Name”:“Portugal”,“Code”:“pt”,“Flag”:“flag_pt”},“ro”:{“Name”:“Romania”,“Code”:“ro”,“Flag”:“flag_ro”},“ru”:{“Name”:“Russia”,“Code”:“ru”,“Flag”:“flag_ru”},“sa”:{“Name”:“Saudi Arabia”,“Code”:“sa”,“Flag”:“flag_sa”},“rs”:{“Name”:“Serbia”,“Code”:“rs”,“Flag”:“flag_rs”},“sg”:{“Name”:“Singapore”,“Code”:“sg”,“Flag”:“flag_sg”},“sk”:{“Name”:“Slovakia”,“Code”:“sk”,“Flag”:“flag_sk”},“si”:{“Name”:“Slovenia”,“Code”:“si”,“Flag”:“flag_si”},“za”:{“Name”:“South Africa”,“Code”:“za”,“Flag”:“flag_za”},“es”:{“Name”:“Spain”,“Code”:“es”,“Flag”:“flag_es”},“lk”:{“Name”:“Sri Lanka”,“Code”:“lk”,“Flag”:“flag_lk”},“se”:{“Name”:“Sweden”,“Code”:“se”,“Flag”:“flag_se”},“ch”:{“Name”:“Switzerland”,“Code”:“ch”,“Flag”:“flag_ch”},“tw”:{“Name”:“Taiwan”,“Code”:“tw”,“Flag”:“flag_tw”},“th”:{“Name”:“Thailand”,“Code”:“th”,“Flag”:“flag_th”},“tr”:{“Name”:“Turkey”,“Code”:“tr”,“Flag”:“flag_tr”},“ua”:{“Name”:“Ukraine”,“Code”:“ua”,“Flag”:“flag_ua”},“ae”:{“Name”:“United Arab Emirates”,“Code”:“ae”,“Flag”:“flag_ae”},“gb”:{“Name”:“United Kingdom”,“Code”:“gb”,“Flag”:“flag_gb”},“us”:{“Name”:“United States”,“Code”:“us”,“Flag”:“flag_us”},“uy”:{“Name”:“Uruguay”,“Code”:“uy”,“Flag”:“flag_uy”},“uu”:{“Name”:“US Downloads”,“Code”:“uu”,“Flag”:“flag_uu”},“ve”:{“Name”:“Venezuela”,“Code”:“ve”,“Flag”:“flag_ve”},“vn”:{“Name”:“Vietnam”,“Code”:“vn”,“Flag”:“flag_vn”}},“Languages”:{“ar”:“Arabic : العربية”,“id”:“Indonesian : Bahasa Indonesia”,“cs”:“Czech : čeština”,“da”:“Danish : dansk”,“de”:“German : Deutsch”,“nl”:“Dutch : Dutch”,“en”:“English : English”,“es”:“Spanish : español”,“fr”:“French : français”,“it”:“Italian : italiano”,“hu”:“Hungarian : magyar”,“nn”:“Norwegian (Nynorsk) : norsk (nynorsk)”,“pl”:“Polish : polski”,“pt”:“Portuguese : Português”,“ro”:“Romanian : română”,“sk”:“Slovak : slovenčina”,“fi”:“Finnish : suomi”,“sv”:“Swedish : svenska”,“tr”:“Turkish : Türkçe”,“el”:“Greek : Ελληνικά”,“ru”:“Russian : русский”,“uk”:“Ukrainian : українська”,“he”:“Hebrew : עברית”,“th”:“Thai : ไทย”,“ko”:“Korean : 한국어”,“zh”:“Chinese : 中文”,“ja”:“Japanese : 日本語”}}}; ; if (typeof _satellite != ‘undefined’) _satellite.pageBottom(); if (document.getElementById( ‘mobile-nav-btn’ )!=null){ new mlPushMenu( document.getElementById( ‘mp-menu’ ), document.getElementById( ‘mobile-nav-btn’ ) ); } @media screen and (max-width:405px) { .button { width: 100% !important; margin-top: 5px; } .btngroup { margin-top: 10px !important; } #ProductTypes_chosen { width: 100% !important; } #Comments { width: 97% !important; } } #Comments { width: 314px; } #div_feedback { } #btn_content_div { display: none; } #FB_Prducts { margin: 2px; } #div_feedback h2 { color: black; font-size: 14px; } #div_feedback p { margin: 0; } #FB_Question1 { margin: 14px 0; } #FB_Question2 { margin: 14px 0; } #div_feedback a { text-decoration: none; color: #3e8ddd; font-size: 14px; } #div_feedback a span { color: #555555; font-size: 14px; } #FB_Title h2 { margin: 8px 0; color: #ff6a00; font-weight:bold; } #FB_Title h2 span { color: #ff6a00; margin-right:10px; font-weight:bold; } #FB_Title p { color: #666; margin: 8px 0; font-size: 12px; } .btngroup { margin-top: 15px; width: 100%; float: left; } .button { border: 1px solid #3e8ddd; font-weight: bold; color: #fff; background: #3e8ddd; border-radius: 0px; float: left; -webkit-border-radius: 0px; -moz-border-radius: 0px; -o-border-radius: 0px; -khtml-border-radius: 0px; width: 100px; margin-right: 10px; padding: 5px 0; text-align: center; cursor: pointer; font-size: 12px; transition: 0.2s; height: 30px !important; box-sizing: border-box; } .button:hover { color: #3e8ddd; background: #fff; } textarea { resize: none; } .border { float: left; width: 100%; border-top: 1px solid #d9d9d9; border-bottom: 1px solid #d9d9d9; padding: 15px 0; margin-top: 30px; margin-bottom: 20px; } .chosen-container-single .chosen-single { border-radius: 0 !important; }