LenovoEMC and Iomega NAS信息泄露漏洞安全通告

發布時間 2019-07-18

漏洞編號和級別


CVE編號:CVE-2019-6160,危險級別:高危,CVSS分值:官方未評定


影響版本


以下產品受影響:px12-350r and ix12-300r,HMNHD Cloud Editiond,StorCenter ix2-200,StorCenter ix4-200d,StorCenter ix4-200rl等。


漏洞概述


Lenovo Iomega StorCenter px12-350r等都是中國聯想(Lenovo)公司的存儲設備。 


CVE-2019-6160影響了許多Iomega和LenovoEMC NAS產品,這些產品已在四年前達到了服務終點。傳統Iomega和LenovoEMC網絡連接存儲(NAS)設備中的漏洞導致任何人都可以通過Internet訪問許多TB的潛在敏感數據。


該漏洞源于不受保護的API調用,允許未經身份驗證的用戶通過API訪問NAS共享上的文件。


漏洞驗證


暫無POC/EXP。


修復建議


目前廠商已發布升級補丁以修復漏洞,補丁獲取鏈接:


px12-350r and ix12-300r, version 4.0.24.34808: 

http://download.lenovo.com/lenovoemc/eu/en/app/answers/detail/a_id/23142.html


HMNHD (Home Media Network Hard Drive) Cloud Editiond, version 3.2.16.30221: 

http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26791.html


StorCenter ix2-200, Cloud Edition, version 3.2.16.30221: 

http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26789.html


StorCenter ix4-200d, Cloud Edition, version 3.2.16.30221: 

http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26784.html


StorCenter ix2-200, version 2.1.50.30227: 

http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/22318.html


StorCenter ix4-200d, version 2.1.50.30227: 

http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/22315.html


StorCenter ix4-200rl, version 2.1.50.30227 :

http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/29782.html。


參考鏈接


https://www.helpnetsecurity.com/2019/07/17/lenovoemc-nas-devices-flaw/