Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Thousands of Legacy Lenovo Storage Devices Exposed Millions of Files

Cybersecurity firms Vertical Structure and WhiteHat Security on Tuesday reported that their researchers discovered a serious vulnerability that gave remote attackers access to millions of files stored on thousands of exposed Lenovo network-attached storage (NAS) devices.

Cybersecurity firms Vertical Structure and WhiteHat Security on Tuesday reported that their researchers discovered a serious vulnerability that gave remote attackers access to millions of files stored on thousands of exposed Lenovo network-attached storage (NAS) devices.

An analysis revealed that the exposed devices were discontinued Iomega/LenovoEMC storage products. Simon Whittaker, director at Vertical Structure, told SecurityWeek that a Shodan search conducted in the fall of 2018 revealed 5,114 devices storing over 3 million files. This includes roughly 20,000 documents, 13,000 spreadsheets, 13,000 text files and 405,000 pictures. Some of the files stored sensitive information, including payment card numbers and financial records.

Whittaker believes the actual number of exposed systems is likely higher as the 5,114 devices are only the ones that were identified and had some details indexed.

The vulnerability could have been exploited by a remote, unauthenticated attacker to gain access to the files stored on the devices by sending a specially crafted request via an API.

“The API is completely unauthenticated and provided the ability to list, access and retrieve the files remotely in a trivial manner. It is similar to millions of open s3 buckets being discovered,” Whittaker told SecurityWeek.

An attacker could have scanned the web for vulnerable devices and sent a malicious request to the targeted device’s IP address. However, Whittaker said an attacker could have also created a script that would automate the attack and retrieve data from all the vulnerable devices.

Vertical Structure and WhiteHat reported their findings to Lenovo, which pulled three versions of the affected software out of retirement to address the vulnerability. Lenovo, which tracks the flaw as CVE-2019-6160, published an advisory on Tuesday.

This is not the first time Lenovo has warned users about a potentially serious vulnerability affecting its discontinued Iomega and LenovoEMC NAS products. Last year, the company learned of nine weaknesses, including ones that could have been chained to completely compromise a device.

Advertisement. Scroll to continue reading.

*Updated with CVE and link to Lenovo advisory

Related: Backdoor Found in Lenovo, IBM Switches

Related: Lenovo Patches Critical Wi-Fi Vulnerabilities

Related: Nine Remotely Exploitable Vulnerabilities Found in Dell EMC Storage Platform

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...