Lenovo confirms faulty NAS drives exposed 36TB of sensitive data

An emergency patch has been released to fix a "mind-blowingly simple" exploit

data leak warning

Lenovo has confirmed that a vulnerability in one of its legacy network-attached storage (NAS) drives was the cause of a gigantic 36TB data leak.

The "trivially easy" to exploit vulnerability was found in a range of Lenovo-EMC NAS devices which allowed an unauthorised user to access the drive's contents through its application programming interface (API).

Advertisement - Article continues below

The issue was discovered by researchers noticing a "pattern of unmarked files that looked out of place" and further digging found the NAS drives in question "would leak information through specially crafted requests via an API but not through their web interface," said Bryan Becker, WhiteHat Security and Simon Whittaker, Vertical Structure in a report.

"The process is mind-blowingly simple and simply requires the user to hit a particular endpoint," said Simon Whittaker, director at Vertical Structure, speaking to IT Pro. "The attacker could write a script to find all relevant vulnerable NAS devices and then go out indexing and retrieving data from each one either in parallel or in series depending on how they want to proceed."

All the attacker would require to gain access to the files on the vulnerable NAS drives would be knowledge of the IP address, Whittaker explained.

Advertisement
Advertisement - Article continues below

"We didn't pursue further after finding the vulnerability to make sure that we didn't invade privacy of the people involved but I would suggest from the device models listed by Lenovo that it will be significantly higher than 5,114," he added.

Advertisement - Article continues below

The massive data haul breaks down into around 13,000 leaked spreadsheet files that were indexed by Google which contained more than three million individual files. It was found that a "significant amount contained sensitive financial information including card numbers and financial records".

Lenovo later confirmed the researchers' findings in a security advisory labelled 'highly severe'. The company has released a patch for the vulnerability but later said: "If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks".

Once Lenovo was made aware of the issue by researchers, the company brought three versions of its software out of retirement so users could continue to run their NAS drives securely while they patched the vulnerability. It then pulled old software from version control to investigate for any other potential issues with a view to releasing fixes and more updates.

Advertisement - Article continues below

If you're the owner of an affected NAS drive, of which there are 5,114 connected to the internet, according to Dark Reading, it's important to check for patches immediately to remediate the issue and stop attackers from accessing your sensitive data.

NAS drives are especially common among small businesses due to their cost-effectiveness, ease of use and small form factor, making for quick and easy deployment. They're also easily expandable with slots for multiple drives so the storage can scale as the business does.

"Network-attached storage devices are very popular in organisations, so a vulnerability like this one which allows anyone to access data held on these devices is indeed a high risk," said Javvad Malik, security awareness advocate at KnowBe4. "Many organisations struggle with setting access control lists properly and with the proliferation of such devices including the use of cloud-based storage services, the impact of misconfigured access increases exponentially.

Advertisement - Article continues below

"Users should install the firmware as part of the Lenovo advisory. But in addition to this, it is advisable to undertake periodic audits on all computers and devices storing sensitive data," he added. "This often requires that you first have a good inventory of where that data is. Make sure that all data stakeholders understand that sensitive data requires period file, folder and database permission auditing."

Lenovo has also been the subject of more security blunders in recent weeks. Researchers at Swascan published details of nine vulnerabilities in Lenovo's server infrastructure at the start of July, two of which were labelled "severe".

Of the vulnerabilities disclosed, one "could allow attackers to execute unexpected, dangerous commands directly on the operating system," read Swascan's report. "This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications."

"These vulnerabilities, if exploited, could have impacted the integrity, availability and confidentiality of the systems," it added.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
UN report points to a 350% rise in phishing websites at start of 2020
phishing

UN report points to a 350% rise in phishing websites at start of 2020

7 Aug 2020