Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/16/2019
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Lenovo NAS Firmware Flaw Exposes Stored Data

More than 5,100 vulnerable devices containing multiple terabytes of data are open to exploitation, researchers found.

Thousands of users of Lenovo network-attached storage devices are at risk of data compromise via a firmware-level vulnerability.

The flaw, which is present in certain models of the NAS products, allows unauthenticated users to view and access data stored on the devices, and is trivially easy to exploit via the Application Programming Interface, researchers from Vertical Structure and WhiteHat Security said this week.

An initial investigation of the issue uncovered at least 5,114 of the devices exposed on the Internet with over 3 million files vulnerable to the issue. But the total number of such at-risk Lenovo storage systems could be higher.  

The researchers found that Google had already indexed several of these exposed devices, resulting in some 13,000 spreadsheet files with 36 terabytes of data available on the Web. Many of exposed files had sensitive data in them, including credit card numbers and financial records.

"The API is completely unauthenticated and provided the ability to list, access, and retrieve the files remotely in a trivial manner," says Simon Whittaker, director at Vertical Structure. "It is similar to thousands of open [AWS] S3 [storage] buckets being discovered." 

The devices impacted by the issue include several models of Iomega's StorCenter and LenovoEMC's series of NAS systems. Several of the impacted models have reached end-of-life status, so Lenovo is no longer supporting or maintaining them.

High Severity Issue

In an alert Tuesday that lists all impacted devices, Lenovo described the vulnerability as high severity because it allows unauthenticated access to files on NAS shares via the API. The company urged users of vulnerable devices to immediately update their firmware to the latest available version.

In situations where a user might not be immediately able to update the firmware for any reason, they should remove any public shares and use the device only on trusted networks, Lenovo said. By taking this measure organizations can achieve "partial protection" from the vulnerability, according to the vendor.

Whittaker says Vertical Structure uncovered the issue last fall when a routine Shodan scan unearthed a collection of unmarked files that researchers were later able to trace back to external hard drives from Iomega. After some investigating, the researchers found the external hard drives would leak information through specially crafted requests via an API, but not through their Web interface, he says.

Researchers from Vertical Structure then worked with counterparts from WhiteHat Security to confirm the vulnerability and later inform Lenovo about it.

In the devices found directly accessible from the Internet, all that an attacker would need to grab data from them is knowledge of the NAS's IP address, Whittaker says. And for devices not directly accessible from the Internet, an attacker would need to be on the same network in order to exploit the vulnerability, he says.

When Lenovo itself was first informed of the issue, the company pulled three versions of its NAS software out of retirement so users could continue to utilize their product while a fix was being readied, Vertical Structure said.

The firmware update the company has released fundamentally changed the API and the Web interface, in order to secure it, Whittaker explains.

The data in the vulnerable devices presents a treasure trove of information about people and organizations, he notes. "By putting this information online they assumed it would be secure and protected by the username and password," Whittaker says. "But this was incorrect."

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
prabhuram.mohan
50%
50%
prabhuram.mohan,
User Rank: Author
7/31/2019 | 4:01:25 PM
Vertical Structure - WhiteHat Security
Kudos to the Vertical Structure and WhiteHat teams, happy to work with all of you!
'Box Shield' Brings New Security Controls
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
New FISMA Report Shows Progress, Gaps in Federal Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15498
PUBLISHED: 2019-08-23
cgi-bin/cmh/webcam.sh in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via --output argument injection in the username parameter to /cgi-bin/cmh/webcam.sh.
CVE-2019-15499
PUBLISHED: 2019-08-23
CodiMD 1.3.1, when Safari is used, allows XSS via an IFRAME element with allow-top-navigation in the sandbox attribute, in conjunction with a data: URL.
CVE-2019-13139
PUBLISHED: 2019-08-22
In Docker before 18.09.4, an attacker who is capable of supplying or manipulating the build path for the "docker build" command would be able to gain command execution. An issue exists in the way "docker build" processes remote git URLs, and results in command injection into the ...
CVE-2019-15325
PUBLISHED: 2019-08-22
In GalliumOS 3.0, CONFIG_SECURITY_YAMA is disabled but /etc/sysctl.d/10-ptrace.conf tries to set /proc/sys/kernel/yama/ptrace_scope to 1, which might increase risk because of the appearance that a protection mechanism is present when actually it is not.
CVE-2019-15326
PUBLISHED: 2019-08-22
The import-users-from-csv-with-meta plugin before 1.14.2.1 for WordPress has directory traversal.