Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/16/2019
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Lenovo NAS Firmware Flaw Exposes Stored Data

More than 5,100 vulnerable devices containing multiple terabytes of data are open to exploitation, researchers found.

Thousands of users of Lenovo network-attached storage devices are at risk of data compromise via a firmware-level vulnerability.

The flaw, which is present in certain models of the NAS products, allows unauthenticated users to view and access data stored on the devices, and is trivially easy to exploit via the Application Programming Interface, researchers from Vertical Structure and WhiteHat Security said this week.

An initial investigation of the issue uncovered at least 5,114 of the devices exposed on the Internet with over 3 million files vulnerable to the issue. But the total number of such at-risk Lenovo storage systems could be higher.  

The researchers found that Google had already indexed several of these exposed devices, resulting in some 13,000 spreadsheet files with 36 terabytes of data available on the Web. Many of exposed files had sensitive data in them, including credit card numbers and financial records.

"The API is completely unauthenticated and provided the ability to list, access, and retrieve the files remotely in a trivial manner," says Simon Whittaker, director at Vertical Structure. "It is similar to thousands of open [AWS] S3 [storage] buckets being discovered." 

The devices impacted by the issue include several models of Iomega's StorCenter and LenovoEMC's series of NAS systems. Several of the impacted models have reached end-of-life status, so Lenovo is no longer supporting or maintaining them.

High Severity Issue

In an alert Tuesday that lists all impacted devices, Lenovo described the vulnerability as high severity because it allows unauthenticated access to files on NAS shares via the API. The company urged users of vulnerable devices to immediately update their firmware to the latest available version.

In situations where a user might not be immediately able to update the firmware for any reason, they should remove any public shares and use the device only on trusted networks, Lenovo said. By taking this measure organizations can achieve "partial protection" from the vulnerability, according to the vendor.

Whittaker says Vertical Structure uncovered the issue last fall when a routine Shodan scan unearthed a collection of unmarked files that researchers were later able to trace back to external hard drives from Iomega. After some investigating, the researchers found the external hard drives would leak information through specially crafted requests via an API, but not through their Web interface, he says.

Researchers from Vertical Structure then worked with counterparts from WhiteHat Security to confirm the vulnerability and later inform Lenovo about it.

In the devices found directly accessible from the Internet, all that an attacker would need to grab data from them is knowledge of the NAS's IP address, Whittaker says. And for devices not directly accessible from the Internet, an attacker would need to be on the same network in order to exploit the vulnerability, he says.

When Lenovo itself was first informed of the issue, the company pulled three versions of its NAS software out of retirement so users could continue to utilize their product while a fix was being readied, Vertical Structure said.

The firmware update the company has released fundamentally changed the API and the Web interface, in order to secure it, Whittaker explains.

The data in the vulnerable devices presents a treasure trove of information about people and organizations, he notes. "By putting this information online they assumed it would be secure and protected by the username and password," Whittaker says. "But this was incorrect."

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
prabhuram.mohan
50%
50%
prabhuram.mohan,
User Rank: Author
7/31/2019 | 4:01:25 PM
Vertical Structure - WhiteHat Security
Kudos to the Vertical Structure and WhiteHat teams, happy to work with all of you!
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8818
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 2.0.30 for Magento 2. Lack of origin authentication in the IPN callback processing function in Controller/Payment/Callback.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore...
CVE-2020-8819
PUBLISHED: 2020-02-25
An issue was discovered in the CardGate Payments plugin through 3.1.15 for WooCommerce. Lack of origin authentication in the IPN callback processing function in cardgate/cardgate.php allows an attacker to remotely replace critical plugin settings (merchant ID, secret key, etc.) and therefore bypass ...
CVE-2020-9385
PUBLISHED: 2020-02-25
A NULL Pointer Dereference exists in libzint in Zint 2.7.1 because multiple + characters are mishandled in add_on in upcean.c, when called from eanx in upcean.c during EAN barcode generation.
CVE-2020-9382
PUBLISHED: 2020-02-24
An issue was discovered in the Widgets extension through 1.4.0 for MediaWiki. Improper title sanitization allowed for the execution of any wiki page as a widget (as defined by this extension) via MediaWiki's } parser function.
CVE-2020-1938
PUBLISHED: 2020-02-24
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that ...