A recent breach that has exposed more than 36TB of data owned by users of specific network-attached storage devices has been confirmed by the computer tech giant, Lenovo, and said that a vulnerability in some of their products “could allow an unauthenticated user to access files on NAS shares via the API.”
Security researchers from Vertical Structures, who made the discovery, said that they found “about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106.” Worse, these data include sensitive financial information like card numbers and financial records.
According to a security notification from Lenovo, the breach affected both Iomega and LenovoEMC NAS products. Vertical Structures was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded Lenovo-EMC in a joint venture. They added that it is “trivially easy” to exploit that application programming interface (API) and allow attackers to access the data stored upon any of several Lenovo-EMC network-attached storage (NAS) devices.
Discovery was verified by WhiteHat Security
Researchers from Vertical Structures said they commissioned the help of WhiteHat Security, a security firm known to have patched up network-related vulnerabilities in the past, to verify their discovery because “of its world-renowned reputation in helping secure applications, to work together to verify the vulnerability found.”
“Verifying vulnerabilities is a very important step in securing applications, networks, and devices. After all, on an average day, WhiteHat scanners discover hundreds upon hundreds of new potential vulnerabilities,” they added.
After the team has notified Lenovo of their discovery of the said vulnerability, they said that the company swiftly responded and took measures to mitigate the impacts of the vulnerability.
When asked for comments regarding the problem, Simon Whittaker, cybersecurity director at Vertical Structures, said that “this is definitely a huge problem but one which we see every day.”
“Many organizations fear change and are cautious about retiring old devices. If they can’t replace devices, then they should be using threat modeling techniques to consider how better to protect them and ideally removing them from internet access completely,” he added.
In order to let their users utilize their services, Lenovo pulled three of its old versions out of retirement and brought them back to life while they are patching the said vulnerability. Lenovo then pulled old software from version control to investigate any other potential vulnerabilities to fix and release updates.
“High” severity problem
In a security advisory that Lenovo released, they said that vulnerability has “high” severity and they advised their users to “update to the firmware level (or later) described for your system in the Product Impact section,” and if update is not feasible, “partial protection can be achieved by removing any public shares and using the device only on trusted networks.”
In the advisory, Lenovo lists the products that were impacted by the said flaw. They include:
- px12-350r and ix12-300r, version 126.96.36.199808
- HMND (Home Media Network Hard Drive) Cloud Edition, version 188.8.131.52221
- StorCenter ix2-200, Cloud Edition, version 184.108.40.206221 StorCenter ix4-200d, Cloud Edition, version 220.127.116.11221 StorCenter ix2-200, version 18.104.22.168227
- StorCenter ix4-200d, version 22.214.171.124227
- StorCenter ix4-200rl, version 126.96.36.199227
For their security advisory, Lenovo disclaims that “the information provided in this advisory is provided on an “as is” basis without any warranty or guarantee of any kind” and advised users to “please remain current with updates and advisories from Lenovo regarding your equipment and software” for more recent and updated information about the problem.
As part of their report, Verticle Structures said that there are a lot of things tech companies can learn from what happened in Lenovo. They characterized Lenovo’s approach to the problem as “professional” and hoped that other companies experiencing similar problems could learn from them.
“Not only did they have a clearly stated vulnerability disclosure policy on their site with contact information, but they responded quickly and worked with WhiteHat and Vertical Structure to understand the nature of the problem and quickly resolve it,” said Vertical Structures.
“In sharing this story, both WhiteHat and Vertical Structure hope companies are inspired to always keep cybersecurity top of mind to keep up with the constant barrage of new vulnerabilities and exposures,” they added.