Allele Security Intelligence - ASA-2019-00461 – Lenovo Iomega and LenovoEMC NAS: Unauthenticated file access via API

Allele Security Alert

ASA-2019-00461

Identifier(s)

ASA-2019-00461, CVE-2019-6160, LEN-25557

Title

Unauthenticated file access via API

Vendor(s)

Lenovo

Product(s)

px12-350r and ix12-300r
HMNHD (Home Media Network Hard Drive) Cloud Edition
StorCenter ix2-200 Cloud Edition
StorCenter ix4-200d Cloud Edition
StorCenter ix2-200
StorCenter ix4-200d
StorCenter ix4-200rl

Affected version(s)

px12-350r and ix12-300r version 4.0.24.34808
HMNHD (Home Media Network Hard Drive) Cloud Edition version 3.2.16.30221
StorCenter ix2-200 Cloud Edition version 3.2.16.30221
StorCenter ix4-200d Cloud Edition version 3.2.16.30221
StorCenter ix2-200 version 2.1.50.30227
StorCenter ix4-200d version 2.1.50.30227
StorCenter ix4-200rl version 2.1.50.30227

Fixed version(s)

Unknown

Proof of concept

Unknown

Description

A vulnerability in Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.

Technical details

Unknown

Credits

WhiteHat Security and Vertical Structure

Reference(s)

LEN-25557
https://support.lenovo.com/us/en/solutions/LEN-25557

Firmware Version 4.0.24.34808 for px12-350r and ix12-300r
http://download.lenovo.com/lenovoemc/eu/en/app/answers/detail/a_id/23142.html

Home Media Network Hard Drive, Cloud Edition — Firmware Version 3.2.16.30221
http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26791.html

StorCenter ix2-200, Cloud Edition — Firmware Version 3.2.16.30221
http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26789.html

StorCenter ix4-200d, Cloud Edition — Firmware Version 3.2.16.30221
http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26784.html

StorCenter ix2-200 Firmware Version 2.1.50.30227
http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/22318.html

StorCenter ix4-200d Firmware Version 2.1.50.30227
http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/22315.html

StorCenter ix4-200r Firmware Version 2.1.50.30227
http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/29782.html

CVE-2019-6160
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6160

CVE-2019-6160
https://nvd.nist.gov/vuln/detail/CVE-2019-6160

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: July 24, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

ASA-2019-00461 – Lenovo Iomega and LenovoEMC NAS: Unauthenticated file access via API

Allele Security Alert

ASA-2019-00461

Identifier(s)

Title

Vendor(s)

Product(s)

Affected version(s)

Fixed version(s)

Proof of concept

Description

Technical details

Credits

Reference(s)

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

Like this:

Related

Allele Security Alert

ASA-2019-00461

Identifier(s)

Title

Vendor(s)

Product(s)

Affected version(s)

Fixed version(s)

Proof of concept

Description

Technical details

Credits

Reference(s)

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.

Share this:

Like this:

Related