Details of VAR-201809-1088

ID

VAR-201809-1088

CVE

CVE-2018-9076

TITLE

plural Lenovo Command injection vulnerability in product devices

Trust: 0.8

sources: JVNDB: JVNDB-2018-010434

DESCRIPTION

For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when changing the name of a share, an attacker can craft a command injection payload using backtick "``" characters in the name parameter. As a result, arbitrary commands may be executed as the root user. The attack requires a value __c and iomega parameter. Iomega , Lenovo , LenovoEMC NAS The device contains a command injection vulnerability.Information is obtained, information is altered, and service operation is disrupted (DoS) There is a possibility of being put into a state. Lenovo Iomega StorCenter px12-450r and others are all storage devices of China Lenovo (Lenovo). There are security vulnerabilities in the Web UI of several Lenovo products using firmware 4.1.402.34662 and earlier versions. An attacker can use the 'value __c' and 'iomega' parameters to exploit this vulnerability to execute arbitrary commands as root. The following products are affected: Lenovo Iomega StorCenter px12-450r, StorCenter px12-400r, StorCenter px4-300r, StorCenter px6-300d, StorCenter px4-300d, StorCenter px2-300d, StorCenter ix4-300d, StorCenter ix2/ix2-dl, EZ Media & Backup Center; LenovoEMC px12-450r, px12-400r, px4-400r, px4-300r, px6-300d, px4-400d, px4-300d, px2-300d; Lenovo ix4-300d, ix2, EZ Media & Backup Center

Trust: 1.8

sources: NVD: CVE-2018-9076 // JVNDB: JVNDB-2018-010434 // VULHUB: VHN-139108 // VULMON: CVE-2018-9076

AFFECTED PRODUCTS

vendor:	lenovo	model:	lenovoemc	scope:	lte	version:	4.1.402.34662	Trust: 1.0
vendor:	lenovo	model:	lenovoemc	scope:	-	version:	-	Trust: 0.8
vendor:	lenovo	model:	lenovoemc	scope:	eq	version:	4.1.402.34662	Trust: 0.6

sources: JVNDB: JVNDB-2018-010434 // CNNVD: CNNVD-201809-1175 // NVD: CVE-2018-9076

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2018-9076
value:	HIGH
Trust: 1.0
NVD:	CVE-2018-9076
value:	HIGH
Trust: 0.8
CNNVD:	CNNVD-201809-1175
value:	HIGH
Trust: 0.6
VULHUB:	VHN-139108
value:	HIGH
Trust: 0.1
VULMON:	CVE-2018-9076
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2018-9076
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9
VULHUB:	VHN-139108
severity:	HIGH
baseScore:	9.3
vectorString:	AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	COMPLETE
integrityImpact:	COMPLETE
availabilityImpact:	COMPLETE
exploitabilityScore:	8.6
impactScore:	10.0
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2018-9076
baseSeverity:	HIGH
baseScore:	8.1
vectorString:	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	HIGH
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.2
impactScore:	5.9
version:	3.0
Trust: 1.8

sources: VULHUB: VHN-139108 // VULMON: CVE-2018-9076 // JVNDB: JVNDB-2018-010434 // CNNVD: CNNVD-201809-1175 // NVD: CVE-2018-9076

PROBLEMTYPE DATA

problemtype:	CWE-78	Trust: 1.1
problemtype:	CWE-77	Trust: 0.9

sources: VULHUB: VHN-139108 // JVNDB: JVNDB-2018-010434 // NVD: CVE-2018-9076

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201809-1175

TYPE

operating system commend injection

Trust: 0.6

sources: CNNVD: CNNVD-201809-1175

CONFIGURATIONS

sources: JVNDB: JVNDB-2018-010434

PATCH

title:	LEN-24224	url:	https://support.lenovo.com/jp/ja/solutions/len-24224	Trust: 0.8
title:	Multiple Lenovo Product security vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=85209	Trust: 0.6

sources: JVNDB: JVNDB-2018-010434 // CNNVD: CNNVD-201809-1175

EXTERNAL IDS

db:	NVD	id:	CVE-2018-9076	Trust: 2.6
db:	LENOVO	id:	LEN-24224	Trust: 1.8
db:	JVNDB	id:	JVNDB-2018-010434	Trust: 0.8
db:	CNNVD	id:	CNNVD-201809-1175	Trust: 0.7
db:	VULHUB	id:	VHN-139108	Trust: 0.1
db:	VULMON	id:	CVE-2018-9076	Trust: 0.1

sources: VULHUB: VHN-139108 // VULMON: CVE-2018-9076 // JVNDB: JVNDB-2018-010434 // CNNVD: CNNVD-201809-1175 // NVD: CVE-2018-9076

REFERENCES

url:	https://support.lenovo.com/us/en/solutions/len-24224	Trust: 1.8
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2018-9076	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2018-9076	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/78.html	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1

sources: VULHUB: VHN-139108 // VULMON: CVE-2018-9076 // JVNDB: JVNDB-2018-010434 // CNNVD: CNNVD-201809-1175 // NVD: CVE-2018-9076

SOURCES

db:	VULHUB	id:	VHN-139108
db:	VULMON	id:	CVE-2018-9076
db:	JVNDB	id:	JVNDB-2018-010434
db:	CNNVD	id:	CNNVD-201809-1175
db:	NVD	id:	CVE-2018-9076

LAST UPDATE DATE

2024-11-23T22:00:17.092000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-139108	date:	2019-10-03T00:00:00
db:	VULMON	id:	CVE-2018-9076	date:	2019-10-03T00:00:00
db:	JVNDB	id:	JVNDB-2018-010434	date:	2018-12-14T00:00:00
db:	CNNVD	id:	CNNVD-201809-1175	date:	2019-10-23T00:00:00
db:	NVD	id:	CVE-2018-9076	date:	2024-11-21T04:14:55.497

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-139108	date:	2018-09-28T00:00:00
db:	VULMON	id:	CVE-2018-9076	date:	2018-09-28T00:00:00
db:	JVNDB	id:	JVNDB-2018-010434	date:	2018-12-14T00:00:00
db:	CNNVD	id:	CNNVD-201809-1175	date:	2018-09-27T00:00:00
db:	NVD	id:	CVE-2018-9076	date:	2018-09-28T20:29:00.860