CVE-2018-9076: Iomega and LenovoEMC NAS Web UI Vulnerabilities
First published: Fri Sep 28 2018(Updated: )
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when changing the name of a share, an attacker can craft a command injection payload using backtick "``" characters in the name parameter. As a result, arbitrary commands may be executed as the root user. The attack requires a value __c and iomega parameter.
Credit: psirt@lenovo.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Lenovo EMC Firmware | <=4.1.402.34662 | |
| Lenovo Iomega ez media & backup center | ||
| Lenovo ix2 | ||
| Lenovo ix2 | ||
| Iomega StorCenter | ||
| Iomega StorCenter | ||
| Iomega StorCenter | ||
| Lenovo px2-300d | ||
| Iomega StorCenter | ||
| Lenovo StorCenter PX4-300R | ||
| Lenovo EMC PX6-300D | ||
| Lenovo Ez Media & Backup Center | ||
| Lenovo EMC ix2/ix2-dl | ||
| Lenovo EMC ix4-300d | ||
| LenovoEMC px12-400r | ||
| Lenovo EMC px12-400r/450r | ||
| Lenovo EMC px2-300d | ||
| Lenovo EMC px4-300d | ||
| Lenovo EMC px4-300r | ||
| Lenovo EMC px4-400d | ||
| Lenovo EMC px4-400r | ||
| Lenovo EMC px6-300d |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-9076?
CVE-2018-9076 is classified as a high severity vulnerability due to its potential for command injection leading to arbitrary command execution.
How do I fix CVE-2018-9076?
To mitigate CVE-2018-9076, upgrade your affected Lenovo or Iomega NAS devices to firmware version 4.1.402.34663 or later.
Which devices are affected by CVE-2018-9076?
CVE-2018-9076 affects Iomega and Lenovo NAS devices running firmware versions 4.1.402.34662 and earlier.
What kind of vulnerability is CVE-2018-9076?
CVE-2018-9076 is a command injection vulnerability that allows attackers to execute arbitrary commands through a crafted share name.
Is CVE-2018-9076 publicly known?
Yes, CVE-2018-9076 is publicly disclosed and documented within the Common Vulnerabilities and Exposures database.
- agent/weakness
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/severity
- agent/author
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/lenovo
- canonical/lenovo emc firmware
- version/lenovo emc firmware/4.1.402.34662
- canonical/lenovo iomega ez media & backup center
- canonical/lenovo ix2
- canonical/iomega storcenter
- canonical/lenovo px2-300d
- canonical/lenovo storcenter px4-300r
- canonical/lenovo emc px6-300d
- canonical/lenovo ez media & backup center
- canonical/lenovo emc ix2/ix2-dl
- canonical/lenovo emc ix4-300d
- canonical/lenovoemc px12-400r
- canonical/lenovo emc px12-400r/450r
- canonical/lenovo emc px2-300d
- canonical/lenovo emc px4-300d
- canonical/lenovo emc px4-300r
- canonical/lenovo emc px4-400d
- canonical/lenovo emc px4-400r