Information about LenovoEMC devices may be disclosed if the device has an Internet-accessible management interface

Lenovo Security Advisory: LEN-3846 **Potential Impact: **Disclosure of information about device Severity:Low

Summary:

An unauthenticated user may be able to view device information about the LenovoEMC device if the management interface accessible over the internet. Even with this vunerability, no data stored on the LenovoEMC device can be viewed, accessed or modified, as long as default device security is enabled.

Description:

LenovoEMC products are network-attached storage devices (NAS) that allow files to be stored and accessed over a network. If the LenovoEMC device’s management interface is accessible over the Internet, unauthenticated users may be able to view data about the device, such as machine type or firmware version, without needing a password. No data stored on this device is at risk of being exposed, as long security settings are properly configured (see here for details on properly configuring the security settings: <https://lenovo-na-en.custhelp.com/app/answers/detail/a_id/31986&gt;

Mitigation Strategy for Customers (what you should do to protect yourself):

LenovoEMC has developed a firmware update that will prevent remote users from being able to access the information about the LenovoEMC device over the internet. The information will still be accessible if a user is on the same LAN.

To update to the latest firmware level for the LenovoEMC device, click on the link below for your device and follow the instructions.

Product Impact and update instructions:

LenovoEMC EZ Media & Backup (hm3)

|

4.1.204.33661

|

Answer ID 32028

—|—|—

LenovoEMC ix2/ix2-dl

|

4.1.204.33661

|

Answer ID 31178

LenovoEMC ix4-300d (inc DL)

|

4.1.204.33661

|

Answer ID 32096

LenovoEMC px12-400r/450r

|

4.1.204.33661

|

Answer ID 32092

LenovoEMC px6-300d

|

4.1.204.33661

|

Answer ID 27366

LenovoEMC px2-300d

|

4.1.204.33661

|

Answer ID 32094

LenovoEMC px4-300r

|

4.1.204.33661

|

Answer ID 27368

LenovoEMC px4-400d

|

4.1.204.33661

|

Answer ID 33814

LenovoEMC px4-400r

|

4.1.204.33661

|

Answer ID 33824

LenovoEMC px4-300d

|

4.1.204.33661

|

Answer ID 27363

LenovoEMC recommends following the best security practices from the following link to protect data stored in the device:
Security Best Practices Guidelines
Protecting your network storage device data from unauthorized access

Acknowledgements:
Lenovo would like to thank Matteo Neri (Company: Sorint.SEC) for reporting this vulnerability (CVE-2015-8108)

Other information and references:

CVE-2015-8108

Revision History:

Revision

|

Date

|

Description

—|—|—
1.0 |** 03/10/2016**|** Initial release**

if (!Lenovo.GoogleAnalytics) { document.write(‘<script src=“/bundles/GoogleAnalytics?v=4HNP0wj61s3zFRyxoiRIvSq6lP1Vhp9NBFt9_5QQZ141”></script>’); }

var ds_country_and_language = {“CurrentUrl”:“/product_security/len_3846”,“CL”:{“Countries”:{“ar”:{“Name”:“Argentina”,“Code”:“ar”,“Flag”:“flag_ar”},“au”:{“Name”:“Australia”,“Code”:“au”,“Flag”:“flag_au”},“at”:{“Name”:“Austria”,“Code”:“at”,“Flag”:“flag_at”},“bd”:{“Name”:“Bangladesh”,“Code”:“bd”,“Flag”:“flag_bd”},“by”:{“Name”:“Belarus”,“Code”:“by”,“Flag”:“flag_by”},“be”:{“Name”:“Belgium”,“Code”:“be”,“Flag”:“flag_be”},“bo”:{“Name”:“Bolivia”,“Code”:“bo”,“Flag”:“flag_bo”},“br”:{“Name”:“Brazil”,“Code”:“br”,“Flag”:“flag_br”},“bg”:{“Name”:“Bulgaria”,“Code”:“bg”,“Flag”:“flag_bg”},“ca”:{“Name”:“Canada”,“Code”:“ca”,“Flag”:“flag_ca”},“cl”:{“Name”:“Chile”,“Code”:“cl”,“Flag”:“flag_cl”},“co”:{“Name”:“Colombia”,“Code”:“co”,“Flag”:“flag_co”},“cr”:{“Name”:“Costa Rica”,“Code”:“cr”,“Flag”:“flag_cr”},“hr”:{“Name”:“Croatia”,“Code”:“hr”,“Flag”:“flag_hr”},“cy”:{“Name”:“Cyprus”,“Code”:“cy”,“Flag”:“flag_cy”},“cz”:{“Name”:“Czech Republic”,“Code”:“cz”,“Flag”:“flag_cz”},“dk”:{“Name”:“Denmark”,“Code”:“dk”,“Flag”:“flag_dk”},“do”:{“Name”:“Dominican Republic”,“Code”:“do”,“Flag”:“flag_do”},“ec”:{“Name”:“Ecuador”,“Code”:“ec”,“Flag”:“flag_ec”},“eg”:{“Name”:“Egypt”,“Code”:“eg”,“Flag”:“flag_eg”},“sv”:{“Name”:“El Salvador”,“Code”:“sv”,“Flag”:“flag_sv”},“fi”:{“Name”:“Finland”,“Code”:“fi”,“Flag”:“flag_fi”},“fr”:{“Name”:“France”,“Code”:“fr”,“Flag”:“flag_fr”},“de”:{“Name”:“Germany”,“Code”:“de”,“Flag”:“flag_de”},“gr”:{“Name”:“Greece”,“Code”:“gr”,“Flag”:“flag_gr”},“gt”:{“Name”:“Guatemala”,“Code”:“gt”,“Flag”:“flag_gt”},“hn”:{“Name”:“Honduras”,“Code”:“hn”,“Flag”:“flag_hn”},“hk”:{“Name”:“Hong Kong”,“Code”:“hk”,“Flag”:“flag_hk”},“hu”:{“Name”:“Hungary”,“Code”:“hu”,“Flag”:“flag_hu”},“in”:{“Name”:“India”,“Code”:“in”,“Flag”:“flag_in”},“id”:{“Name”:“Indonesia”,“Code”:“id”,“Flag”:“flag_id”},“ie”:{“Name”:“Ireland”,“Code”:“ie”,“Flag”:“flag_ie”},“il”:{“Name”:“Israel”,“Code”:“il”,“Flag”:“flag_il”},“it”:{“Name”:“Italy”,“Code”:“it”,“Flag”:“flag_it”},“jp”:{“Name”:“Japan”,“Code”:“jp”,“Flag”:“flag_jp”},“kr”:{“Name”:“Korea”,“Code”:“kr”,“Flag”:“flag_kr”},“lu”:{“Name”:“Luxembourg”,“Code”:“lu”,“Flag”:“flag_lu”},“my”:{“Name”:“Malaysia”,“Code”:“my”,“Flag”:“flag_my”},“mx”:{“Name”:“Mexico”,“Code”:“mx”,“Flag”:“flag_mx”},“mn”:{“Name”:“Mongolia”,“Code”:“mn”,“Flag”:“flag_mn”},“ma”:{“Name”:“Morocco”,“Code”:“ma”,“Flag”:“flag_ma”},“nl”:{“Name”:“Netherlands”,“Code”:“nl”,“Flag”:“flag_nl”},“nz”:{“Name”:“New Zealand”,“Code”:“nz”,“Flag”:“flag_nz”},“ni”:{“Name”:“Nicaragua”,“Code”:“ni”,“Flag”:“flag_ni”},“ng”:{“Name”:“Nigeria”,“Code”:“ng”,“Flag”:“flag_ng”},“no”:{“Name”:“Norway”,“Code”:“no”,“Flag”:“flag_no”},“pa”:{“Name”:“Panama”,“Code”:“pa”,“Flag”:“flag_pa”},“py”:{“Name”:“Paraguay”,“Code”:“py”,“Flag”:“flag_py”},“pe”:{“Name”:“Peru”,“Code”:“pe”,“Flag”:“flag_pe”},“ph”:{“Name”:“Philippines”,“Code”:“ph”,“Flag”:“flag_ph”},“pl”:{“Name”:“Poland”,“Code”:“pl”,“Flag”:“flag_pl”},“pt”:{“Name”:“Portugal”,“Code”:“pt”,“Flag”:“flag_pt”},“ro”:{“Name”:“Romania”,“Code”:“ro”,“Flag”:“flag_ro”},“ru”:{“Name”:“Russia”,“Code”:“ru”,“Flag”:“flag_ru”},“sa”:{“Name”:“Saudi Arabia”,“Code”:“sa”,“Flag”:“flag_sa”},“rs”:{“Name”:“Serbia”,“Code”:“rs”,“Flag”:“flag_rs”},“sg”:{“Name”:“Singapore”,“Code”:“sg”,“Flag”:“flag_sg”},“sk”:{“Name”:“Slovakia”,“Code”:“sk”,“Flag”:“flag_sk”},“si”:{“Name”:“Slovenia”,“Code”:“si”,“Flag”:“flag_si”},“za”:{“Name”:“South Africa”,“Code”:“za”,“Flag”:“flag_za”},“es”:{“Name”:“Spain”,“Code”:“es”,“Flag”:“flag_es”},“lk”:{“Name”:“Sri Lanka”,“Code”:“lk”,“Flag”:“flag_lk”},“se”:{“Name”:“Sweden”,“Code”:“se”,“Flag”:“flag_se”},“ch”:{“Name”:“Switzerland”,“Code”:“ch”,“Flag”:“flag_ch”},“tw”:{“Name”:“Taiwan”,“Code”:“tw”,“Flag”:“flag_tw”},“th”:{“Name”:“Thailand”,“Code”:“th”,“Flag”:“flag_th”},“tr”:{“Name”:“Turkey”,“Code”:“tr”,“Flag”:“flag_tr”},“ua”:{“Name”:“Ukraine”,“Code”:“ua”,“Flag”:“flag_ua”},“ae”:{“Name”:“United Arab Emirates”,“Code”:“ae”,“Flag”:“flag_ae”},“gb”:{“Name”:“United Kingdom”,“Code”:“gb”,“Flag”:“flag_gb”},“us”:{“Name”:“United States”,“Code”:“us”,“Flag”:“flag_us”},“uy”:{“Name”:“Uruguay”,“Code”:“uy”,“Flag”:“flag_uy”},“uu”:{“Name”:“US Downloads”,“Code”:“uu”,“Flag”:“flag_uu”},“ve”:{“Name”:“Venezuela”,“Code”:“ve”,“Flag”:“flag_ve”},“vn”:{“Name”:“Vietnam”,“Code”:“vn”,“Flag”:“flag_vn”}},“Languages”:{“ar”:“Arabic : العربية”,“id”:“Indonesian : Bahasa Indonesia”,“cs”:“Czech : čeština”,“da”:“Danish : dansk”,“de”:“German : Deutsch”,“nl”:“Dutch : Dutch”,“en”:“English : English”,“es”:“Spanish : español”,“fr”:“French : français”,“it”:“Italian : italiano”,“hu”:“Hungarian : magyar”,“nn”:“Norwegian (Nynorsk) : norsk (nynorsk)”,“pl”:“Polish : polski”,“pt”:“Portuguese : Português”,“ro”:“Romanian : română”,“sk”:“Slovak : slovenčina”,“fi”:“Finnish : suomi”,“sv”:“Swedish : svenska”,“tr”:“Turkish : Türkçe”,“el”:“Greek : Ελληνικά”,“ru”:“Russian : русский”,“uk”:“Ukrainian : українська”,“he”:“Hebrew : עברית”,“th”:“Thai : ไทย”,“ko”:“Korean : 한국어”,“zh”:“Chinese : 中文”,“ja”:“Japanese : 日本語”}}}; ; if (typeof _satellite != ‘undefined’) _satellite.pageBottom(); if (document.getElementById( ‘mobile-nav-btn’ )!=null){ new mlPushMenu( document.getElementById( ‘mp-menu’ ), document.getElementById( ‘mobile-nav-btn’ ) ); } @media screen and (max-width:405px) { .button { width: 100% !important; margin-top: 5px; } .btngroup { margin-top: 10px !important; } #ProductTypes_chosen { width: 100% !important; } #Comments { width: 97% !important; } } #Comments { width: 314px; } #div_feedback { } #btn_content_div { display: none; } #FB_Prducts { margin: 2px; } #div_feedback h2 { color: black; font-size: 14px; } #div_feedback p { margin: 0; } #FB_Question1 { margin: 14px 0; } #FB_Question2 { margin: 14px 0; } #div_feedback a { text-decoration: none; color: #3e8ddd; font-size: 14px; } #div_feedback a span { color: #555555; font-size: 14px; } #FB_Title h2 { margin: 8px 0; color: #ff6a00; font-weight:bold; } #FB_Title h2 span { color: #ff6a00; margin-right:10px; font-weight:bold; } #FB_Title p { color: #666; margin: 8px 0; font-size: 12px; } .btngroup { margin-top: 15px; width: 100%; float: left; } .button { border: 1px solid #3e8ddd; font-weight: bold; color: #fff; background: #3e8ddd; border-radius: 0px; float: left; -webkit-border-radius: 0px; -moz-border-radius: 0px; -o-border-radius: 0px; -khtml-border-radius: 0px; width: 100px; margin-right: 10px; padding: 5px 0; text-align: center; cursor: pointer; font-size: 12px; transition: 0.2s; height: 30px !important; box-sizing: border-box; } .button:hover { color: #3e8ddd; background: #fff; } textarea { resize: none; } .border { float: left; width: 100%; border-top: 1px solid #d9d9d9; border-bottom: 1px solid #d9d9d9; padding: 15px 0; margin-top: 30px; margin-bottom: 20px; } .chosen-container-single .chosen-single { border-radius: 0 !important; }