Security: Iomega and LenovoEMC NAS Vulnerability

From Lenovo

Lenovo Enterprise Solutions, Pte Ltd. has published a security alert concerning Iomega and LenovoEMC NAS vulnerability.

Lenovo Security Advisory: LEN-25557

• Potential Impact: Information disclosure

• Severity: High

• Scope of Impact: Lenovo-specific

• CVE Identifier: CVE-2019-6160

Summary description:
A vulnerability in Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.

Mitigation strategy for customers (what you should do to protect yourself):

• Update to the firmware level (or later) described for your system in the Product Impact section.

• If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks.

Acknowledgement:

Lenovo would like to thank WhiteHat Security and Vertical Structure for reporting this issue.

Product impact:

• px12-350r and ix12-300r, version 4.0.24.34808

• HMNHD (Home Media Network Hard Drive) Cloud Editiond, version 3.2.16.30221

• StorCenter ix2-200, Cloud Edition, version 3.2.16.30221

• StorCenter ix4-200d, Cloud Edition, version 3.2.16.30221

• StorCenter ix2-200, version 2.1.50.30227

• StorCenter ix4-200d, version 2.1.50.30227

• StorCenter ix4-200rl, version 2.1.50.30227

Revision history:

For a complete list of all ‘Lenovo Product Security Advisories’, click here.

For the most up to date information, please remain current with updates and advisories from Lenovo regarding your equipment and software. The information provided in this advisory is provided on an ‘as is’ basis without any warranty or guarantee of any kind. Lenovo reserves the right to change or update this advisory at any time.