Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/16/2019
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Lenovo NAS Firmware Flaw Exposes Stored Data

More than 5,100 vulnerable devices containing multiple terabytes of data are open to exploitation, researchers found.

Thousands of users of Lenovo network-attached storage devices are at risk of data compromise via a firmware-level vulnerability.

The flaw, which is present in certain models of the NAS products, allows unauthenticated users to view and access data stored on the devices, and is trivially easy to exploit via the Application Programming Interface, researchers from Vertical Structure and WhiteHat Security said this week.

An initial investigation of the issue uncovered at least 5,114 of the devices exposed on the Internet with over 3 million files vulnerable to the issue. But the total number of such at-risk Lenovo storage systems could be higher.  

The researchers found that Google had already indexed several of these exposed devices, resulting in some 13,000 spreadsheet files with 36 terabytes of data available on the Web. Many of exposed files had sensitive data in them, including credit card numbers and financial records.

"The API is completely unauthenticated and provided the ability to list, access, and retrieve the files remotely in a trivial manner," says Simon Whittaker, director at Vertical Structure. "It is similar to thousands of open [AWS] S3 [storage] buckets being discovered." 

The devices impacted by the issue include several models of Iomega's StorCenter and LenovoEMC's series of NAS systems. Several of the impacted models have reached end-of-life status, so Lenovo is no longer supporting or maintaining them.

High Severity Issue

In an alert Tuesday that lists all impacted devices, Lenovo described the vulnerability as high severity because it allows unauthenticated access to files on NAS shares via the API. The company urged users of vulnerable devices to immediately update their firmware to the latest available version.

In situations where a user might not be immediately able to update the firmware for any reason, they should remove any public shares and use the device only on trusted networks, Lenovo said. By taking this measure organizations can achieve "partial protection" from the vulnerability, according to the vendor.

Whittaker says Vertical Structure uncovered the issue last fall when a routine Shodan scan unearthed a collection of unmarked files that researchers were later able to trace back to external hard drives from Iomega. After some investigating, the researchers found the external hard drives would leak information through specially crafted requests via an API, but not through their Web interface, he says.

Researchers from Vertical Structure then worked with counterparts from WhiteHat Security to confirm the vulnerability and later inform Lenovo about it.

In the devices found directly accessible from the Internet, all that an attacker would need to grab data from them is knowledge of the NAS's IP address, Whittaker says. And for devices not directly accessible from the Internet, an attacker would need to be on the same network in order to exploit the vulnerability, he says.

When Lenovo itself was first informed of the issue, the company pulled three versions of its NAS software out of retirement so users could continue to utilize their product while a fix was being readied, Vertical Structure said.

The firmware update the company has released fundamentally changed the API and the Web interface, in order to secure it, Whittaker explains.

The data in the vulnerable devices presents a treasure trove of information about people and organizations, he notes. "By putting this information online they assumed it would be secure and protected by the username and password," Whittaker says. "But this was incorrect."

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
prabhuram.mohan
50%
50%
prabhuram.mohan,
User Rank: Author
7/31/2019 | 4:01:25 PM
Vertical Structure - WhiteHat Security
Kudos to the Vertical Structure and WhiteHat teams, happy to work with all of you!
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...