DDIVRT-2013-55 LenovoEMC StorageCenter PX4-300R Unauthorized Remote File Retrieval
Follow us on Twitter!
Date Discovered
---------------
October 10, 2013
Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: Evan Sylvester and r@b13$
Vulnerability Description
-------------------------
The web server for the LenovoEMC StorageCenter PX4-300R allows unauthenticated remote users to retrieve specific files that are located outside of the web root. Malicious users would need to have direct knowledge of the directory structure to exploit this vulnerability.
Solution Description
--------------------
LenovoEMC has addressed this vulnerability and released an updated version of the firmware for this device. Please refer to the following page for specific instructions on how to obtain and apply the update:
http://download.lenovo.com/lenovoemc/na/en/
Tested Systems / Software (with versions)
------------------------------------------
LenovoEMC StorageCenter PX4-300R v4.0.4.146
BIOS: px4 fsbfv102
Vendor Contact
--------------
LenovoEMC
https://support.lenovoemc.com