Lenovo confirms faulty NAS drives exposed 36TB of sensitive data

An emergency patch has been released to fix a "mind-blowingly simple" exploit

data leak warning

Lenovo has confirmed that a vulnerability in one of its legacy network-attached storage (NAS) drives was the cause of a gigantic 36TB data leak.

The "trivially easy" to exploit vulnerability was found in a range of Lenovo-EMC NAS devices which allowed an unauthorised user to access the drive's contents through its application programming interface (API).

The issue was discovered by researchers noticing a "pattern of unmarked files that looked out of place" and further digging found the NAS drives in question "would leak information through specially crafted requests via an API but not through their web interface," said Bryan Becker, WhiteHat Security and Simon Whittaker, Vertical Structure in a report.

"The process is mind-blowingly simple and simply requires the user to hit a particular endpoint," said Simon Whittaker, director at Vertical Structure, speaking to IT Pro. "The attacker could write a script to find all relevant vulnerable NAS devices and then go out indexing and retrieving data from each one either in parallel or in series depending on how they want to proceed."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

All the attacker would require to gain access to the files on the vulnerable NAS drives would be knowledge of the IP address, Whittaker explained.

"We didn't pursue further after finding the vulnerability to make sure that we didn't invade privacy of the people involved but I would suggest from the device models listed by Lenovo that it will be significantly higher than 5,114," he added.

The massive data haul breaks down into around 13,000 leaked spreadsheet files that were indexed by Google which contained more than three million individual files. It was found that a "significant amount contained sensitive financial information including card numbers and financial records".

Lenovo later confirmed the researchers' findings in a security advisory labelled 'highly severe'. The company has released a patch for the vulnerability but later said: "If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks".

Once Lenovo was made aware of the issue by researchers, the company brought three versions of its software out of retirement so users could continue to run their NAS drives securely while they patched the vulnerability. It then pulled old software from version control to investigate for any other potential issues with a view to releasing fixes and more updates.

If you're the owner of an affected NAS drive, of which there are 5,114 connected to the internet, according to Dark Reading, it's important to check for patches immediately to remediate the issue and stop attackers from accessing your sensitive data.

Advertisement - Article continues below

NAS drives are especially common among small businesses due to their cost-effectiveness, ease of use and small form factor, making for quick and easy deployment. They're also easily expandable with slots for multiple drives so the storage can scale as the business does.

"Network-attached storage devices are very popular in organisations, so a vulnerability like this one which allows anyone to access data held on these devices is indeed a high risk," said Javvad Malik, security awareness advocate at KnowBe4. "Many organisations struggle with setting access control lists properly and with the proliferation of such devices including the use of cloud-based storage services, the impact of misconfigured access increases exponentially.

"Users should install the firmware as part of the Lenovo advisory. But in addition to this, it is advisable to undertake periodic audits on all computers and devices storing sensitive data," he added. "This often requires that you first have a good inventory of where that data is. Make sure that all data stakeholders understand that sensitive data requires period file, folder and database permission auditing."

Lenovo has also been the subject of more security blunders in recent weeks. Researchers at Swascan published details of nine vulnerabilities in Lenovo's server infrastructure at the start of July, two of which were labelled "severe".

Advertisement
Advertisement - Article continues below

Of the vulnerabilities disclosed, one "could allow attackers to execute unexpected, dangerous commands directly on the operating system," read Swascan's report. "This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications."

"These vulnerabilities, if exploited, could have impacted the integrity, availability and confidentiality of the systems," it added.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/business/business-strategy/354304/ex-apple-cpu-architect-accuses-the-firm-of-invading-privacy
Business strategy

Ex-Apple CPU architect accuses the firm of invading privacy

10 Dec 2019
Visit/security/vulnerability/354309/patch-issued-for-critical-windows-bug
vulnerability

Patch issued for critical Windows bug

11 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019