CVE-2018-9079
📋 TL;DR
This vulnerability allows attackers to craft malicious URLs that inject HTML and JavaScript into affected NAS device web interfaces. Attackers can execute arbitrary JavaScript code with the device's origin, potentially compromising the device and connected data. Affected users include those running Iomega, Lenovo, and LenovoEMC NAS devices with vulnerable firmware.
💻 Affected Systems
- Iomega NAS
- Lenovo NAS
- LenovoEMC NAS
📦 What is this software?
Ez Media \& Backup Center Firmware by Lenovo
View all CVEs affecting Ez Media \& Backup Center Firmware →
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing data theft, ransomware deployment, lateral movement to connected systems, and persistent backdoor installation.
Likely Case
Session hijacking, credential theft, data exfiltration, and unauthorized configuration changes to the NAS device.
If Mitigated
Limited impact if devices are isolated from untrusted networks and have strict access controls, though risk remains from internal threats.
🎯 Exploit Status
Exploitation requires only crafted URLs and basic web knowledge. No authentication needed for initial injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware versions after 4.1.402.34662
Vendor Advisory: https://support.lenovo.com/us/en/solutions/LEN-24224
Restart Required: Yes
Instructions:
1. Backup NAS data. 2. Download latest firmware from Lenovo support site. 3. Access web interface. 4. Navigate to firmware update section. 5. Upload and apply update. 6. Reboot device.
🔧 Temporary Workarounds
Network Isolation
allRestrict NAS web interface access to trusted internal networks only
Access Control
allImplement strict firewall rules and authentication requirements for NAS management
🧯 If You Can't Patch
- Disable web management interface if not required
- Implement network segmentation to isolate NAS from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check firmware version in web interface under System > FirmwareCheck Version:
Check via web interface or SSH if enabled: cat /etc/versionVerify Fix Applied:
Confirm firmware version is greater than 4.1.402.34662📡 Detection & Monitoring
Log Indicators:
- Unusual URL patterns in web server logs
- Multiple failed login attempts followed by successful access
- Unexpected configuration changes
Network Indicators:
- HTTP requests with suspicious parameters or script tags
- Outbound connections from NAS to unknown destinations
SIEM Query:
source="nas_web_logs" AND (url="*<script*" OR url="*javascript:*" OR url="*onerror=*" OR url="*onload=*")