Lenovo is warning of nine vulnerabilities rated “high” and impacting 20 separate network attached storage (NAS) devices sold by the company, including its LenovoEMC, Iomega and its Lenovo-branded NAS devices.
By exploiting one of several command-injection vulnerabilities in the devices’ operating system, an attacker could remotely take over the targeted system via root shell.
Ultimately, the attack could be used by an adversary to “steal and destroy personal or proprietary information stored on the targeted device, use it to pivot into an internal network, or add it to a botnet,” wrote Rick Ramgattie, security analyst and research team lead at ISE Labs, which found the vulnerabilities and posted a technical write-up of the bug on Monday.
Vulnerable devices include eight LenovoEMC NAS (PX) models, nine Iomega StoreCenter (PX and IX) models and the Lenovo branded devices; ix4-300d, ix2 and EZ Media and Backup Center.
“For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, the password-changing functionality available to authenticated users does not require the user’s current password to set a new one. As a result, attackers with access to the user’s session tokens can change their password and retain access to the user’s account,” according to the Common Vulnerabilities and Exposures description of one of the cross-site scripting bugs (CVE-2018-9082).
In order to gain shell access to devices, the attack involves chaining vulnerabilities together. A hypothetical attack would first include luring an authenticated NAS user of one of the devices to a specially crafted malicious website designed to steal the user’s access token and a session cookie-like identifier, called a “__c parameter,” from the victim’s browser, Ramgattie said in an interview with Threatpost.
“To simply the research, we found a cross site scripting vulnerability that allowed us to pull information out of the browser,” Ramgattie said. “And then we used that stored browser information to execute commands on the targeted devices.”
The next step in the attack, after acquiring a target’s NAS access token and “_c parameter” is finding the static IP address the NAS is running on. “For these reasons, an attack of this nature would likely be against a known target,” said Jacob Holcomb, principal security analyst and director of ISE Labs. That said, finding the devices isn’t that difficult and would simply require brute-force port scanning, he said.
Once the static IP address of the vulnerable NAS is established, the attacker can launch a cross-site request forgery (CSRF) attack against the device. That allows for an escalation of privileges and for the attacker to issue commands and act like a normal user, researchers said.
“The meat of the vulnerability is the fact that an attacker could trick a user into visiting a website, and by leveraging a cross-site request forgery attack. And from there, so easily take control over NAS device,” Holcomb said. “It’s a simple chain of bugs.”
Researchers at ISE Labs discovered the vulnerabilities and notified Lenovo of the flaws on August 3. Lenovo issued patches for vulnerable systems Sept. 20 and publicly disclosed the flaws Sept. 30. CVEs include: CVE-2018-9074, CVE-2018-9075, CVE-2018-9076, CVE-2018-9077, CVE-2018-9078, CVE-2018-9079, CVE-2018-9080, CVE-2018-9081 and CVE-2018-9082.
Lenovo said firmware versions 4.1.402.34662 and earlier are vulnerable. Customers are urged to download firmware version 4.1.404.34716 (or later).
“If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares, using the device only on trusted networks, and clicking on device URLs only from trustworthy sources,” Lenovo said.