Lenovo has confirmed that a vulnerability in one of its legacy network-attached storage (NAS) drives was the cause of a gigantic 36TB data leak.
The "trivially easy" to exploit vulnerability was found in a range of Lenovo-EMC NAS devices which allowed an unauthorised user to access the drive's contents through its application programming interface (API).
The issue was discovered by researchers noticing a "pattern of unmarked files that looked out of place" and further digging found the NAS drives in question "would leak information through specially crafted requests via an API but not through their web interface," said Bryan Becker, WhiteHat Security and Simon Whittaker, Vertical Structure in a report.
"The process is mind-blowingly simple and simply requires the user to hit a particular endpoint," said Simon Whittaker, director at Vertical Structure, speaking to IT Pro. "The attacker could write a script to find all relevant vulnerable NAS devices and then go out indexing and retrieving data from each one either in parallel or in series depending on how they want to proceed."
All the attacker would require to gain access to the files on the vulnerable NAS drives would be knowledge of the IP address, Whittaker explained.
"We didn't pursue further after finding the vulnerability to make sure that we didn't invade privacy of the people involved but I would suggest from the device models listed by Lenovo that it will be significantly higher than 5,114," he added.
The massive data haul breaks down into around 13,000 leaked spreadsheet files that were indexed by Google which contained more than three million individual files. It was found that a "significant amount contained sensitive financial information including card numbers and financial records".
Lenovo later confirmed the researchers' findings in a security advisory labelled 'highly severe'. The company has released a patch for the vulnerability but later said: "If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks".
Once Lenovo was made aware of the issue by researchers, the company brought three versions of its software out of retirement so users could continue to run their NAS drives securely while they patched the vulnerability. It then pulled old software from version control to investigate for any other potential issues with a view to releasing fixes and more updates.
If you're the owner of an affected NAS drive, of which there are 5,114 connected to the internet, according to Dark Reading, it's important to check for patches immediately to remediate the issue and stop attackers from accessing your sensitive data.
NAS drives are especially common among small businesses due to their cost-effectiveness, ease of use and small form factor, making for quick and easy deployment. They're also easily expandable with slots for multiple drives so the storage can scale as the business does.
"Network-attached storage devices are very popular in organisations, so a vulnerability like this one which allows anyone to access data held on these devices is indeed a high risk," said Javvad Malik, security awareness advocate at KnowBe4. "Many organisations struggle with setting access control lists properly and with the proliferation of such devices including the use of cloud-based storage services, the impact of misconfigured access increases exponentially.
"Users should install the firmware as part of the Lenovo advisory. But in addition to this, it is advisable to undertake periodic audits on all computers and devices storing sensitive data," he added. "This often requires that you first have a good inventory of where that data is. Make sure that all data stakeholders understand that sensitive data requires period file, folder and database permission auditing."
Lenovo has also been the subject of more security blunders in recent weeks. Researchers at Swascan published details of nine vulnerabilities in Lenovo's server infrastructure at the start of July, two of which were labelled "severe".
Of the vulnerabilities disclosed, one "could allow attackers to execute unexpected, dangerous commands directly on the operating system," read Swascan's report. "This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications."
"These vulnerabilities, if exploited, could have impacted the integrity, availability and confidentiality of the systems," it added.
-
Global cybersecurity spending is set to rise 12% in 2025 – here are the industries ramping up investmentNews Global cybersecurity spending is expected to surge this year, fueled by escalating state-sponsored threats and the rise of generative AI, according to new analysis from IDC.
-
Google Cloud is leaning on all its strengths to support enterprise AIAnalysis Google Cloud made a big statement at its annual conference last week, staking its claim as the go-to provider for enterprise AI adoption.
-
The business value of Zscaler Data ProtectionWhitepaper Understand how this tool minimizes the risks related to data loss and other security events
-
Top data security trendsWhitepaper Must-have tools for your data security toolkit
-
Three essential requirements for flawless data protectionWhitepaper Want a better CASB and stronger DLP? You have to start with the right foundation
-
The gratitude gapWhitepaper 2023 State of Recognition
-
The top five risks of perimeter firewallsWhitepaper ...and the one way to overcome them all
-
Redefining modern enterprise storage for mission-critical workloadsWhitepaper Evolving technology to meet the mission-critical needs of the most demanding IT environments
-
The business value of storage solutions from Dell TechnologiesWhitepaper Streamline your IT infrastructure while meeting the demands of digital transformation
-
Building a data governance strategy in 2023In-depth Data governance will continue to expand as attitudes change and businesses look to optimise the value of their data
