Lenovo recently confirmed that a “high severity” security flaw in some of its specific network-attached storage devices. The vulnerability has exposed user data of its Lenovo-EMC storage products.
Security researchers who unearthed the vulnerability estimated that 36TB of data was leaked at the time of the discovery.
These professionals found approximately 13,000 spreadsheet files indexed with 36TB of data available, according to a Vertical Structure report. The cybersecurity provider also revealed a total of 3,030,106 files were in the index after scanning. The report said the files contain a “significant amount” of classified financial information including financial records and card numbers.
Lenovo has just issued a security advisory confirming that the firmware vulnerability could lead to a data breach. The security flaw could enable an unauthorized user to access files on some of its storage devices. Researchers said it is “easy” for attackers to penetrate the data stored in some of Lenovo-EMC network-attached storage (NAS) devices.
The vulnerability, named CVE-2019-6160, stems from an unsecured API call. It also allows anyone to use Shodan to find vulnerable NAS devices. The flaw would then download the exposed files by sending specially crafted requests.
A Vertical Structure researcher discovered the data leak via Shodan, the search engine dedicated to Internet-connected devices.
An investigation revealed that more than 5,114 Iomega and LenovoEMC NAS devices connected to the Internet, Dark Reading said. This probe was carried out jointly by Vertical Structure and WhiteHat Security.
The probe also showed that many of the affected models had already reached its end-of-life status. At this stage, Lenovo no longer provides official support to the devices.
A team of application security engineers at WhiteHat’s threat research center verified the initial findings from Vertical Structure. WhiteHat reported the vulnerability to Lenovo.
In response, the device manufacturer brought the three obsolete versions of the device software back. This move will allow customers to continue using the devices while Lenovo developed a patch.
The researchers acknowledged Lenovo’s professional approach to vulnerability disclosure. They said the company’s prompt response offers an excellent lesson for other organizations that experience the same challenges.
Lenovo advised customers who own an Iomega or LenovoEMC storage device to check its security advisory. If their device is among those affected, they should implement the update immediately.
If updating the firmware is not feasible, customers can still have partial protection by removing any public shares. Another way, Lenovo suggested, is to use the device only on trusted networks.