CVE-2018-9076 Information

Description

For some Iomega Lenovo LenovoEMC NAS devices versions 4.1.402.34662 and earlier when changing the name of a share an attacker can craft a command injection payload using backtick ``\ characters in the name parameter. As a result arbitrary commands may be executed as the root user. The attack requires a value __c and iomega parameter.

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://support.lenovo.com/us/en/solutions/LEN-24224

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.1