Cybersecurity firms Vertical Structure and WhiteHat Security on Tuesday reported that their researchers discovered a serious vulnerability that gave remote attackers access to millions of files stored on thousands of exposed Lenovo network-attached storage (NAS) devices.
An analysis revealed that the exposed devices were discontinued Iomega/LenovoEMC storage products. Simon Whittaker, director at Vertical Structure, told SecurityWeek that a Shodan search conducted in the fall of 2018 revealed 5,114 devices storing over 3 million files. This includes roughly 20,000 documents, 13,000 spreadsheets, 13,000 text files and 405,000 pictures. Some of the files stored sensitive information, including payment card numbers and financial records.
Whittaker believes the actual number of exposed systems is likely higher as the 5,114 devices are only the ones that were identified and had some details indexed.
The vulnerability could have been exploited by a remote, unauthenticated attacker to gain access to the files stored on the devices by sending a specially crafted request via an API.
“The API is completely unauthenticated and provided the ability to list, access and retrieve the files remotely in a trivial manner. It is similar to millions of open s3 buckets being discovered,” Whittaker told SecurityWeek.
An attacker could have scanned the web for vulnerable devices and sent a malicious request to the targeted device’s IP address. However, Whittaker said an attacker could have also created a script that would automate the attack and retrieve data from all the vulnerable devices.
Vertical Structure and WhiteHat reported their findings to Lenovo, which pulled three versions of the affected software out of retirement to address the vulnerability. Lenovo, which tracks the flaw as CVE-2019-6160, published an advisory on Tuesday.
This is not the first time Lenovo has warned users about a potentially serious vulnerability affecting its discontinued Iomega and LenovoEMC NAS products. Last year, the company learned of nine weaknesses, including ones that could have been chained to completely compromise a device.
*Updated with CVE and link to Lenovo advisory