Researchers discovered a vulnerability in Lenovo network storage devices that allows attackers to gain unauthorized remote read-only access to network-attached storage (NAS) shares.
The vulnerability was discovered by researchers at Digital Defense Inc. Lenovo has issued a firmware update to address the problem, which affected LenovoEMC, Lenovo and Iomega NAS devices with LenovoEMC LifeLine firmware version 4.0.2.9960 or 4.0.4.14600.
According to Digital Defense, the web server for the LenovoEMC StorageCenter PX4-300R allows unauthenticated remote users to retrieve specific files located outside of the web root. For an attacker to exploit this vulnerability, they would have to hve direct knowledge of the directory structure.
Once the flaw was discovered, Digital Defense began working with Lenovo to address the issue.
“Our goal is to work hand in hand with hardware and software manufacturers to help them understand our security vulnerability discoveries and to ensure this intelligence is rapidly communicated to our clients and other end users, with the appropriate remediation solution, to ensure any potential risk is mitigated,” said Larry Hurtado, DDI president and CEO, in a statement. “This responsible disclosure process has been effective in resolving security issues before they potentially open the door to malicious attacks.”