Lenovo Security Advisory: LEN-24224
Potential Impact: Privilege escalation
Severity: High
Scope of Impact: Lenovo specific
CVE Indentifier: CVE-2018-9074, CVE-2018-9075, CVE-2018-9076, CVE-2018-9077, CVE-2018-9078, CVE-2018-9079, CVE-2018-9080, CVE-2018-9081, CVE-2018-9082
Summary Description: Multiple security weaknesses exist in the Web UI of withdrawn Iomega and LenovoEMC NAS products. Some of these weaknesses can be chained together to enable a compromise of the NAS device by an authenticated user. Other weaknesses can enable malicious JavaScript content or links to be executed by an authorized userβs web browser if that malicious content is accessed or link is clicked. Additionally, the best practice of verifying an old password before setting a new password was not implemented.
Mitigation Strategy for Customers (what you should do to protect yourself): Update to the firmware level (or later) described for your system in the product impact section.
If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares, using the device only on trusted networks, and clicking on device URLs only from trustworthy sources.