Experts found 9 NAS flaws that expose LenovoEMC, Iomega Devices to hack

According to Lenovo, the flaws affect 20 models of network attached storage (NAS) devices sold by the company, including Lenovo-branded  NAS devices, LenovoEMC, and Iomega.

The list of vulnerable devices includes eight LenovoEMC NAS (PX) models, nine Iomega StoreCenter (PX and IX) models and the Lenovo branded devices; ix4-300d, ix2 and EZ Media and Backup Center.

The flaws have been discovered as a part of a research project conducted by ISE Labs focused on the security of embedded devices.

Most of the devices audited by the researchers were affected by some sort of OS command injection vulnerability that could be exploited by remote attackers to take over the targeted system via root shell.

Chaining different vulnerabilities it is possible to gain full access to the device, experts noticed for example that the availability of the user’s access token and a session cookie-like identifier ( “__c parameter”) could allow the attackers to reach the goal. A typical attack scenario to gain this information sees attackers to luring an authenticated NAS user by tricking it into visiting a specially crafted malicious website.

“If we want to exploit this OS command injection we are going to need to figure out how these tokens are generated or access to the victim’s iomegaUserCookie (__c) token. Whenever I think about stealing some type of value stored in the user’s browser I think about cross-site scripting (XSS).” states the researchers.

The experts found a cross-site scripting vulnerability that allowed them to access the information, then used stored browser data to execute commands on the vulnerable devices.

Once obtained a target’s NAS access token and “_c parameter” it is possible to target the storage device by knowing its static IP address, a joke for attackers.

Summarizing, chaining command injection vulnerability with privilege escalation issues the attacker could execute commands on the devices on behalf of legitimate users.

The experts reported the vulnerabilities to Lenovo on August 3 and the company issued patches for vulnerable systems on Sept. 20 and publicly disclosed the vulnerabilities on September 30.

The list of CVEs include: CVE-2018-9074, CVE-2018-9075, CVE-2018-9076, CVE-2018-9077, CVE-2018-9078, CVE-2018-9079, CVE-2018-9080, CVE-2018-9081 and CVE-2018-9082.

Lenovo confirmed that firmware versions 4.1.402.34662 and earlier are vulnerable, users have to download firmware version 4.1.404.34716 (or later).

The company suggests removing any public shares and using the device only on trusted networks in case it is not possible to immediately update the firmware.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Lenovo, NAS)

[adrotate banner=”5″]

[adrotate banner=”13″]