Iomega and LenovoEMC NAS Web UI Vulnerabilities - US

Lenovo Security Advisory: LEN-24224

Potential Impact: Privilege escalation

Severity: High

Scope of Impact: Lenovo specific

CVE Indentifier: CVE-2018-9074, CVE-2018-9075, CVE-2018-9076, CVE-2018-9077, CVE-2018-9078, CVE-2018-9079, CVE-2018-9080, CVE-2018-9081, CVE-2018-9082

Summary Description: Multiple security weaknesses exist in the Web UI of withdrawn Iomega and LenovoEMC NAS products. Some of these weaknesses can be chained together to enable a compromise of the NAS device by an authenticated user. Other weaknesses can enable malicious JavaScript content or links to be executed by an authorized user’s web browser if that malicious content is accessed or link is clicked. Additionally, the best practice of verifying an old password before setting a new password was not implemented.

Mitigation Strategy for Customers (what you should do to protect yourself): Update to the firmware level (or later) described for your system in the product impact section.

If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares, using the device only on trusted networks, and clicking on device URLs only from trustworthy sources.