LG NAS Devices Vulnerability

A vulnerability in the LG network-attached storage (NAS) device allows a remote attacker access by using command injection on the password parameter login page, without authentication.

Threat ID:: CC-2301
Category:: Exploit
Threat Severity:: Medium
Threat Vector:
Published:: 25 April 2018 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A vulnerability in the LG network-attached storage (NAS) device allows a remote attacker access by using command injection on the password parameter login page, without authentication.

Threat details

The attacker can exploit this vulnerability to execute arbitrary commands which includes adding a new user account and download the database containing existing usernames and MD5 hashed passwords. After creating the new user account, the attacker can freely login to the administration interface and access any file stored on the device.

Remediation steps

Type	Step
	At the time of publication LG have not released a patch for the vulnerability. To reduce the risk of attack on NAS devices ensure that they are not accessible via the internet and should be protected behind a correctly configured firewall. Monitor and audit the usernames and passwords stored on the device, investigating any suspicious credentials.

Last edited: 17 February 2020 12:47 pm