Iomega and LenovoEMC NAS Vulnerability - Lenovo Support US

Lenovo Security Advisory: LEN-25557

Potential Impact: Information disclosure

Severity: High

Scope of Impact: Lenovo-specific

CVE Identifier: CVE-2019-6160, CVE-2019-6178

Summary Description:

*Update 2019-08-15:

CVE-2019-6178:

An information leakage vulnerability in Iomega and LenovoEMC NAS products could allow disclosure of some device details such as Share names through the device API when Personal Cloud is enabled. This does not allow read, write, delete, or any other access to the underlying file systems and their contents.

CVE-2019-6160:

A vulnerability in Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.

Mitigation Strategy for Customers (what you should do to protect yourself):

*Update 2019-08-15: There is no patch for CVE-2019-6178. To protect your device against this vulnerability, disable Personal Cloud. If Personal Cloud is enabled, avoid using sensitive share names and only use the device on trusted networks.

CVE-2019-6160:

Update to the firmware level (or later) described for your system in the Product Impact section.

If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks.

Acknowledgement:

CVE-2019-6160: Lenovo would like to thank WhiteHat Security and Vertical Structure for reporting this issue.

CVE-2019-6178: Lenovo would like to thank Rafael Pedrero for reporting this issue.