CVE-2018-9082: Iomega and LenovoEMC NAS Web UI Vulnerabilities
First published: Fri Sep 28 2018(Updated: )
For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password changing functionality available to authenticated users does not require the user's current password to set a new one. As a result, attackers with access to the user's session tokens can change their password and retain access to the user's account
Credit: psirt@lenovo.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Lenovo Storcenter PX12-450R | =4.1.402.34662 | |
| Lenovo StorCenter PX12-450R Firmware | ||
| Lenovo PX12-400R | =4.1.402.34662 | |
| Lenovo Storage Center PX12-400R | ||
| Lenovo StorCenter PX4-300R | =4.1.402.34662 | |
| Lenovo Storcenter PX4-300R Firmware | ||
| Lenovo PX6-300D Firmware | =4.1.402.34662 | |
| Lenovo Iomega StorCenter PX6-300D | ||
| Lenovo Storcenter PX4-300D Firmware | =4.1.402.34662 | |
| Lenovo Iomega StorCenter PX4-300D | ||
| Lenovo Storcenter PX2-300D Firmware | =4.1.402.34662 | |
| Lenovo Iomega StorCenter PX2-300D | ||
| Lenovo Storcenter IX4-300D Firmware | =4.1.402.34662 | |
| Lenovo Storcenter IX4-300D Firmware | ||
| Lenovo Storage IX2 Firmware | =4.1.402.34662 | |
| Lenovo Iomega StorCenter ix2-dl | ||
| Lenovo StorCenter ix2-dl | =4.1.402.34662 | |
| Lenovo StorCenter ix2-dl Firmware | ||
| Lenovo EZ Media & Backup Center Firmware | =4.1.402.34662 | |
| Lenovo Ez Media & Backup Center | ||
| Lenovo Storcenter PX12-450R | =4.1.402.34662 | |
| Lenovo EMC px12-400r/450r | ||
| Lenovo Storcenter PX12-400R Firmware | =4.1.402.34662 | |
| Lenovo Storage Center PX12-400R | ||
| Lenovo px4-400r | =4.1.402.34662 | |
| Lenovo EMC px4-400r | ||
| Lenovo Storcenter PX4-300R Firmware | =4.1.402.34662 | |
| Lenovo StorCenter PX4-300R | ||
| Lenovo StorCenter PX6-300D Firmware | =4.1.402.34662 | |
| Lenovo EMC PX6-300D | ||
| Lenovo PX4-400D | =4.1.402.34662 | |
| Lenovo PX4-400D | ||
| Lenovo Storcenter PX4-300D Firmware | =4.1.402.34662 | |
| Lenovo EMC px4-300d | ||
| Lenovo Storcenter PX2-300D Firmware | =4.1.402.34662 | |
| Lenovo EMC px2-300d | ||
| Lenovo Storcenter IX4-300D Firmware | =4.1.402.34662 | |
| Lenovo EMC ix4-300d | ||
| Lenovo Storage IX2 Firmware | =4.1.402.34662 | |
| Lenovo ix2 firmware |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2018-9082?
CVE-2018-9082 is classified as a medium severity vulnerability due to the potential for unauthorized password changes.
How do I fix CVE-2018-9082?
To fix CVE-2018-9082, update the firmware of the affected Lenovo Iomega NAS devices to a version later than 4.1.402.34662.
What devices are affected by CVE-2018-9082?
CVE-2018-9082 affects several Lenovo Iomega and Lenovo EMC NAS devices running firmware version 4.1.402.34662 and earlier.
What attack vectors are associated with CVE-2018-9082?
Attackers can exploit CVE-2018-9082 by leveraging access to authenticated user session tokens to change passwords without the current password.
Is CVE-2018-9082 being actively exploited?
As of the latest information, there is no widespread indication that CVE-2018-9082 is actively being exploited.
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/weakness
- agent/title
- agent/severity
- agent/author
- agent/references
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/lenovo
- canonical/lenovo storcenter px12-450r
- version/lenovo storcenter px12-450r/4.1.402.34662
- canonical/lenovo storcenter px12-450r firmware
- canonical/lenovo px12-400r
- version/lenovo px12-400r/4.1.402.34662
- canonical/lenovo storage center px12-400r
- canonical/lenovo storcenter px4-300r
- version/lenovo storcenter px4-300r/4.1.402.34662
- canonical/lenovo storcenter px4-300r firmware
- canonical/lenovo px6-300d firmware
- version/lenovo px6-300d firmware/4.1.402.34662
- canonical/lenovo iomega storcenter px6-300d
- canonical/lenovo storcenter px4-300d firmware
- version/lenovo storcenter px4-300d firmware/4.1.402.34662
- canonical/lenovo iomega storcenter px4-300d
- canonical/lenovo storcenter px2-300d firmware
- version/lenovo storcenter px2-300d firmware/4.1.402.34662
- canonical/lenovo iomega storcenter px2-300d
- canonical/lenovo storcenter ix4-300d firmware
- version/lenovo storcenter ix4-300d firmware/4.1.402.34662
- canonical/lenovo storage ix2 firmware
- version/lenovo storage ix2 firmware/4.1.402.34662
- canonical/lenovo iomega storcenter ix2-dl
- canonical/lenovo storcenter ix2-dl
- version/lenovo storcenter ix2-dl/4.1.402.34662
- canonical/lenovo storcenter ix2-dl firmware
- canonical/lenovo ez media & backup center firmware
- version/lenovo ez media & backup center firmware/4.1.402.34662
- canonical/lenovo ez media & backup center
- canonical/lenovo emc px12-400r/450r
- canonical/lenovo storcenter px12-400r firmware
- version/lenovo storcenter px12-400r firmware/4.1.402.34662
- canonical/lenovo px4-400r
- version/lenovo px4-400r/4.1.402.34662
- canonical/lenovo emc px4-400r
- version/lenovo storcenter px4-300r firmware/4.1.402.34662
- canonical/lenovo storcenter px6-300d firmware
- version/lenovo storcenter px6-300d firmware/4.1.402.34662
- canonical/lenovo emc px6-300d
- canonical/lenovo px4-400d
- version/lenovo px4-400d/4.1.402.34662
- canonical/lenovo emc px4-300d
- canonical/lenovo emc px2-300d
- canonical/lenovo emc ix4-300d
- canonical/lenovo ix2 firmware