Lenovo confirms faulty NAS drives exposed 36TB of sensitive data

An emergency patch has been released to fix a "mind-blowingly simple" exploit

data leak warning

Lenovo has confirmed that a vulnerability in one of its legacy network-attached storage (NAS) drives was the cause of a gigantic 36TB data leak.

The "trivially easy" to exploit vulnerability was found in a range of Lenovo-EMC NAS devices which allowed an unauthorised user to access the drive's contents through its application programming interface (API).

Advertisement - Article continues below

The issue was discovered by researchers noticing a "pattern of unmarked files that looked out of place" and further digging found the NAS drives in question "would leak information through specially crafted requests via an API but not through their web interface," said Bryan Becker, WhiteHat Security and Simon Whittaker, Vertical Structure in a report.

"The process is mind-blowingly simple and simply requires the user to hit a particular endpoint," said Simon Whittaker, director at Vertical Structure, speaking to IT Pro. "The attacker could write a script to find all relevant vulnerable NAS devices and then go out indexing and retrieving data from each one either in parallel or in series depending on how they want to proceed."

All the attacker would require to gain access to the files on the vulnerable NAS drives would be knowledge of the IP address, Whittaker explained.

Advertisement
Advertisement - Article continues below

"We didn't pursue further after finding the vulnerability to make sure that we didn't invade privacy of the people involved but I would suggest from the device models listed by Lenovo that it will be significantly higher than 5,114," he added.

Advertisement - Article continues below

The massive data haul breaks down into around 13,000 leaked spreadsheet files that were indexed by Google which contained more than three million individual files. It was found that a "significant amount contained sensitive financial information including card numbers and financial records".

Lenovo later confirmed the researchers' findings in a security advisory labelled 'highly severe'. The company has released a patch for the vulnerability but later said: "If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks".

Once Lenovo was made aware of the issue by researchers, the company brought three versions of its software out of retirement so users could continue to run their NAS drives securely while they patched the vulnerability. It then pulled old software from version control to investigate for any other potential issues with a view to releasing fixes and more updates.

Advertisement - Article continues below

If you're the owner of an affected NAS drive, of which there are 5,114 connected to the internet, according to Dark Reading, it's important to check for patches immediately to remediate the issue and stop attackers from accessing your sensitive data.

NAS drives are especially common among small businesses due to their cost-effectiveness, ease of use and small form factor, making for quick and easy deployment. They're also easily expandable with slots for multiple drives so the storage can scale as the business does.

"Network-attached storage devices are very popular in organisations, so a vulnerability like this one which allows anyone to access data held on these devices is indeed a high risk," said Javvad Malik, security awareness advocate at KnowBe4. "Many organisations struggle with setting access control lists properly and with the proliferation of such devices including the use of cloud-based storage services, the impact of misconfigured access increases exponentially.

Advertisement - Article continues below

"Users should install the firmware as part of the Lenovo advisory. But in addition to this, it is advisable to undertake periodic audits on all computers and devices storing sensitive data," he added. "This often requires that you first have a good inventory of where that data is. Make sure that all data stakeholders understand that sensitive data requires period file, folder and database permission auditing."

Lenovo has also been the subject of more security blunders in recent weeks. Researchers at Swascan published details of nine vulnerabilities in Lenovo's server infrastructure at the start of July, two of which were labelled "severe".

Of the vulnerabilities disclosed, one "could allow attackers to execute unexpected, dangerous commands directly on the operating system," read Swascan's report. "This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications."

"These vulnerabilities, if exploited, could have impacted the integrity, availability and confidentiality of the systems," it added.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/mobile/mobile-security/355889/parachute-introduces-superlock-feature
mobile security

Parachute's Superlock feature keeps your phone recording in an emergency

2 Jun 2020
Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020

Most Popular

Visit/server-storage/network-attached-storage-nas/355849/western-digital-sneaked-inferior-smr-tech-into
network attached storage (NAS)

Western Digital accused of sneaking inferior SMR tech into NAS drives

1 Jun 2020
Visit/security/data-breaches/355777/easyjet-faces-class-action-lawsuit-over-data-breach
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020