Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Thousands of Legacy Lenovo Storage Devices Exposed Millions of Files

Cybersecurity firms Vertical Structure and WhiteHat Security on Tuesday reported that their researchers discovered a serious vulnerability that gave remote attackers access to millions of files stored on thousands of exposed Lenovo network-attached storage (NAS) devices.

Cybersecurity firms Vertical Structure and WhiteHat Security on Tuesday reported that their researchers discovered a serious vulnerability that gave remote attackers access to millions of files stored on thousands of exposed Lenovo network-attached storage (NAS) devices.

An analysis revealed that the exposed devices were discontinued Iomega/LenovoEMC storage products. Simon Whittaker, director at Vertical Structure, told SecurityWeek that a Shodan search conducted in the fall of 2018 revealed 5,114 devices storing over 3 million files. This includes roughly 20,000 documents, 13,000 spreadsheets, 13,000 text files and 405,000 pictures. Some of the files stored sensitive information, including payment card numbers and financial records.

Whittaker believes the actual number of exposed systems is likely higher as the 5,114 devices are only the ones that were identified and had some details indexed.

The vulnerability could have been exploited by a remote, unauthenticated attacker to gain access to the files stored on the devices by sending a specially crafted request via an API.

“The API is completely unauthenticated and provided the ability to list, access and retrieve the files remotely in a trivial manner. It is similar to millions of open s3 buckets being discovered,” Whittaker told SecurityWeek.

An attacker could have scanned the web for vulnerable devices and sent a malicious request to the targeted device’s IP address. However, Whittaker said an attacker could have also created a script that would automate the attack and retrieve data from all the vulnerable devices.

Vertical Structure and WhiteHat reported their findings to Lenovo, which pulled three versions of the affected software out of retirement to address the vulnerability. Lenovo, which tracks the flaw as CVE-2019-6160, published an advisory on Tuesday.

This is not the first time Lenovo has warned users about a potentially serious vulnerability affecting its discontinued Iomega and LenovoEMC NAS products. Last year, the company learned of nine weaknesses, including ones that could have been chained to completely compromise a device.

Advertisement. Scroll to continue reading.

*Updated with CVE and link to Lenovo advisory

Related: Backdoor Found in Lenovo, IBM Switches

Related: Lenovo Patches Critical Wi-Fi Vulnerabilities

Related: Nine Remotely Exploitable Vulnerabilities Found in Dell EMC Storage Platform

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Check Point Software has appointed Nadav Zafrir as Chief Executive Officer

BlackFog has named Brenda Robb as President, John Sarantakes as CRO, and Mark Griffith as VP of Strategic Sales

Former NSA cybersecurity chief Rob Joyce has joined Sandfly Security's Advisory Board.

More People On The Move

Expert Insights