LenovoEMC and Iomega NAS信息泄露缝隙安全公告

颁布功夫 2019-07-18

缝隙编号和级别


CVE编号:CVE-2019-6160,,,,,,危险级别:高危,,,,,,CVSS分值:官方未评定


影响版本


以下产品受影响:px12-350r and ix12-300r,,,,,,HMNHD Cloud Editiond,,,,,,StorCenter ix2-200,,,,,,StorCenter ix4-200d,,,,,,StorCenter ix4-200rl等。。。。。


缝隙概述


Lenovo Iomega StorCenter px12-350r等都是中国遐想(Lenovo)公司的存储设备。。。。。 


CVE-2019-6160影响了很多Iomega和LenovoEMC NAS产品,,,,,,这些产品已在四年前达到了服务终点。。。。。传统Iomega和LenovoEMC网络衔接存储(NAS)设备中的缝隙导致任何人都能够通过Internet接见很多TB的潜在敏感数据。。。。。


该缝隙源于不受保唬唬唬唬唬唬护的API挪用,,,,,,允许未经身份验证的用户通过API接见NAS共享上的文件。。。。。


缝隙验证


暂无POC/EXP。。。。。


建复建议


目前厂商已颁布升级补丁以建复缝隙,,,,,,补丁获取链接:


px12-350r and ix12-300r, version 4.0.24.34808: 

http://download.lenovo.com/lenovoemc/eu/en/app/answers/detail/a_id/23142.html


HMNHD (Home Media Network Hard Drive) Cloud Editiond, version 3.2.16.30221: 

http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26791.html


StorCenter ix2-200, Cloud Edition, version 3.2.16.30221: 

http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26789.html


StorCenter ix4-200d, Cloud Edition, version 3.2.16.30221: 

http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/26784.html


StorCenter ix2-200, version 2.1.50.30227: 

http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/22318.html


StorCenter ix4-200d, version 2.1.50.30227: 

http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/22315.html


StorCenter ix4-200rl, version 2.1.50.30227 :

http://download.lenovo.com/lenovoemc/na/en/app/answers/detail/a_id/29782.html。。。。。


参考链接


https://www.helpnetsecurity.com/2019/07/17/lenovoemc-nas-devices-flaw/