SB2018092902 - Multiple vulnerabilities in LenovoEMC NAS Web GUI
Published: September 29, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 9 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2018-9074)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within Content Explorer application. A remote authenticated attacker can send a specially crafted HTTP request and upload arbitrary file to the system as a root user.
2) Unverified Password Change (CVE-ID: CVE-2018-9082)
The vulnerability allows a remote attacker to change victim's password.
The vulnerability exists due to the web application does not provide verification of an old password before allowing to change it to a new one. A remote attacker with knowledge of vimctim's session token can change the user's password.
3) Insufficient Session Expiration (CVE-ID: CVE-2018-9080)
The vulnerability allows a remote attacker to compromise victim's account.
The vulnerability exists due to application sets the lomega cookie to a known value before logging into the NAS's web application. A remote attacker with knowledge of the cookie can compromise victim's session.
4) self-XSS (CVE-ID: CVE-2018-9081)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
5) Cross-site scripting (CVE-ID: CVE-2018-9079)
The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
6) Unrestricted upload of file with dangerous type (CVE-ID: CVE-2018-9078)
The vulnerability allows a remote attacker to upload dangerous files.
The vulnerability exists due to the web interface allows uploading of SVG files. A remote authenticated attacker can upload a malicious SVG file, trick the victim into opening it in the browser and execute arbitrary JavaScript code in the context of vulnerable application.
7) OS Command Injection (CVE-ID: CVE-2018-9077)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to insufficient sanitization of user-supplied data within the "share:name" parameter. A remote authenticated attacker can inject and execute arbitrary OS commands with root privileges on the affected device.
8) OS Command Injection (CVE-ID: CVE-2018-9076)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to insufficient sanitization of user-supplied data within the "name" parameter. A remote authenticated attacker can inject and execute arbitrary OS commands with root privileges on the affected device.
9) OS Command Injection (CVE-ID: CVE-2018-9075)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.
The vulnerability exists due to insufficient sanitization of user-supplied data within the client:password parameter. A remote authenticated attacker can inject and execute arbitrary OS commands with root privileges on the affected device.
Remediation
Install update from vendor's website.