Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/16/2019
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Lenovo NAS Firmware Flaw Exposes Stored Data

More than 5,100 vulnerable devices containing multiple terabytes of data are open to exploitation, researchers found.

Thousands of users of Lenovo network-attached storage devices are at risk of data compromise via a firmware-level vulnerability.

The flaw, which is present in certain models of the NAS products, allows unauthenticated users to view and access data stored on the devices, and is trivially easy to exploit via the Application Programming Interface, researchers from Vertical Structure and WhiteHat Security said this week.

An initial investigation of the issue uncovered at least 5,114 of the devices exposed on the Internet with over 3 million files vulnerable to the issue. But the total number of such at-risk Lenovo storage systems could be higher.  

The researchers found that Google had already indexed several of these exposed devices, resulting in some 13,000 spreadsheet files with 36 terabytes of data available on the Web. Many of exposed files had sensitive data in them, including credit card numbers and financial records.

"The API is completely unauthenticated and provided the ability to list, access, and retrieve the files remotely in a trivial manner," says Simon Whittaker, director at Vertical Structure. "It is similar to thousands of open [AWS] S3 [storage] buckets being discovered." 

The devices impacted by the issue include several models of Iomega's StorCenter and LenovoEMC's series of NAS systems. Several of the impacted models have reached end-of-life status, so Lenovo is no longer supporting or maintaining them.

High Severity Issue

In an alert Tuesday that lists all impacted devices, Lenovo described the vulnerability as high severity because it allows unauthenticated access to files on NAS shares via the API. The company urged users of vulnerable devices to immediately update their firmware to the latest available version.

In situations where a user might not be immediately able to update the firmware for any reason, they should remove any public shares and use the device only on trusted networks, Lenovo said. By taking this measure organizations can achieve "partial protection" from the vulnerability, according to the vendor.

Whittaker says Vertical Structure uncovered the issue last fall when a routine Shodan scan unearthed a collection of unmarked files that researchers were later able to trace back to external hard drives from Iomega. After some investigating, the researchers found the external hard drives would leak information through specially crafted requests via an API, but not through their Web interface, he says.

Researchers from Vertical Structure then worked with counterparts from WhiteHat Security to confirm the vulnerability and later inform Lenovo about it.

In the devices found directly accessible from the Internet, all that an attacker would need to grab data from them is knowledge of the NAS's IP address, Whittaker says. And for devices not directly accessible from the Internet, an attacker would need to be on the same network in order to exploit the vulnerability, he says.

When Lenovo itself was first informed of the issue, the company pulled three versions of its NAS software out of retirement so users could continue to utilize their product while a fix was being readied, Vertical Structure said.

The firmware update the company has released fundamentally changed the API and the Web interface, in order to secure it, Whittaker explains.

The data in the vulnerable devices presents a treasure trove of information about people and organizations, he notes. "By putting this information online they assumed it would be secure and protected by the username and password," Whittaker says. "But this was incorrect."

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
prabhuram.mohan
50%
50%
prabhuram.mohan,
User Rank: Author
7/31/2019 | 4:01:25 PM
Vertical Structure - WhiteHat Security
Kudos to the Vertical Structure and WhiteHat teams, happy to work with all of you!
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Lessons from the NSA: Know Your Assets
Robert Lemos, Contributing Writer,  12/12/2019
4 Tips to Run Fast in the Face of Digital Transformation
Shane Buckley, President & Chief Operating Officer, Gigamon,  12/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19807
PUBLISHED: 2019-12-15
In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for ...
CVE-2014-8650
PUBLISHED: 2019-12-15
python-requests-Kerberos through 0.5 does not handle mutual authentication
CVE-2014-3536
PUBLISHED: 2019-12-15
CFME (CloudForms Management Engine) 5: RHN account information is logged to top_output.log during registration
CVE-2014-3643
PUBLISHED: 2019-12-15
jersey: XXE via parameter entities not disabled by the jersey SAX parser
CVE-2014-3652
PUBLISHED: 2019-12-15
JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.