Researchers discovered a vulnerability in Lenovo network storage devices that allows attackers to gain unauthorized remote read-only access to network-attached storage (NAS) shares.
The vulnerability was discovered by researchers at Digital Defense Inc. Lenovo has issued a firmware update to address the problem, which affected LenovoEMC, Lenovo and Iomega NAS devices with LenovoEMC LifeLine firmware version 4.0.2.9960 or 4.0.4.14600.
According to Digital Defense, the web server for the LenovoEMC StorageCenter PX4-300R allows unauthenticated remote users to retrieve specific files located outside of the web root. For an attacker to exploit this vulnerability, they would have to hve direct knowledge of the directory structure.
Once the flaw was discovered, Digital Defense began working with Lenovo to address the issue.
“Our goal is to work hand in hand with hardware and software manufacturers to help them understand our security vulnerability discoveries and to ensure this intelligence is rapidly communicated to our clients and other end users, with the appropriate remediation solution, to ensure any potential risk is mitigated,” said Larry Hurtado, DDI president and CEO, in a statement. “This responsible disclosure process has been effective in resolving security issues before they potentially open the door to malicious attacks.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
