Lenovo has issued a firmware update for the issue, which is specific to LenovoEMC, Lenovo and Iomega NAS devices with LenovoEMC LifeLine firmware version 4.0.2.9960 or 4.0.4.14600.
The problem is that the web server for the LenovoEMC StorageCenter PX4-300R allows unauthenticated remote users to retrieve specific files that are located outside of the web root. Malicious users would need to have direct knowledge of the directory structure to exploit the vulnerability.
The vulnerability was discovered by researchers at Digital Defense Inc. (DDI), which collaborated with Lenovo to examine and address the flaw.
“Our goal is to work hand in hand with hardware and software manufacturers to help them understand our security vulnerability discoveries and to ensure this intelligence is rapidly communicated to our clients and other end users, with the appropriate remediation solution, to ensure any potential risk is mitigated,” said Larry Hurtado, DDI president and CEO, in a statement. “This responsible disclosure process has been effective in resolving security issues before they potentially open the door to malicious attacks.”