Vulnerabilities expose Iomega and LenovoEMC NAS devices to attacks

Share this…

Lenovo has launched an alert for nine “high-risk” rated vulnerabilities that impact 20 network attached storage devices (NAS) sold by the company, including its LenovoEMC, Iomega, and other Lenovo-branded NAS devices, as reported by specialists in ethical hacking.

By exploiting one of these command-injection vulnerabilities in the operating system of the NAS devices, an attacker could take over the compromised system remotely through the root shell.

Experts in ethical hacking warn that a hacker could use the attack to steal and/or destroy personal or proprietary information stored on the attacked device, use it to pivot on an internal network or add the device to a botnet. Security bugs were reported last Monday.

Vulnerable devices include eight LenovoEMC NAS models, nine Iomega StorCenter models, and Lenovo branded devices IX4-300d, ix2, and EZ Media and Backup Center.

“For some NAS devices like Iomega, Lenovo, LenovoEMC 4.1.402.34662 and earlier versions, the password-changing functionality available to authenticated users does not require the user’s current password to set a new one. As a result, attackers with access to the user’s session tokens can change their password and retain access to the user’s account”, according to the report published by the Common Vulnerability Scoring System (CVSS).

To get shell access to devices, attackers have to chain vulnerabilities. A hypothetical attack would first include attracting an authenticated NAS user to a malicious website specially designed to steal the user’s access token and a cookie-like session identifier, called “parameter __ C ” from the victim, as reported by specialists in ethical hacking from the International Institute of Cyber Security.

“Only during the investigation, we found a cross-site scripting vulnerability that allowed us to extract information from the browser”, said Rick Ramgattie, expert in charge of the investigation. “Then we use the stored information from the browser to execute commands on the selected devices”.

The next step in the attack, after acquiring the NAS access token and the “parameter _ C ” is to find the static IP address on which the NAS is running. “For these reasons, an attack of this nature would probably be against a known target”, the experts in ethical hacking mentioned. This means that finding the devices is not that difficult and would simply require a brute force port scan.

Once the static IP address of the vulnerable NAS is established, the attacker can initiate a cross-site request forgery (CSRF) attack against the appliance. This allows a privilege escalation for the attacker to execute commands and act as a normal user.

Lenovo said in a security notice that 4.1.402.34662 and earlier firmware versions are vulnerable to these flaws, so the company has recommended customers to download the firmware version 4.1.404.34716 or later as a security measure.