Breaking News

DJI Introduces Osmo Mobile 8 with Intelligent Subject Tracking Samsung Launches New P9 Express microSD Express Cards Cloud Streaming officially arrives on PlayStation Portal CORSAIR Launches Second-Generation RMx SHIFT PSUs with Updated Cables and 12V-2×6 GPU Support Zenmuse L3 Launches as DJI's First Long-Range, High-Accuracy Aerial LiDAR System

logo

Lenovo Vulnerability Left 36TB of Data Exposed

Lenovo Vulnerability Left 36TB of Data Exposed

Enterprise & IT 0

Security researchers from Vertical Structure and WhiteHat Security worked together to identify and verify a vulnerability in Lenovo-EMC storage products that left users of specific network-attached storage devices with 36TB of data exposed to anyone who went looking for it.

The researchers found "about 13,000 spreadsheet files indexed, with 36TB of data available. The number of files in the index from scanning totaled 3,030,106." Within these files, the report reveals, a "significant amount" with sensitive financial information including card numbers and financial records were found.

Lenovo has issued a security advisory which confirms that the firmware vulnerability "could allow an unauthenticated user to access files on NAS shares via the API." According to the researchers, it was "trivially easy" to exploit that application programming interface (API) and allow attackers to access the data stored upon any of several Lenovo-EMC network-attached storage (NAS) devices.

The investigation revealed at least 5,114 Iomega and LenovoEMC NAS devices connected to the Internet. It also appears that several of the impacted models had already reached end-of-life status, which meant that Lenovo no longer officially supported them.

The security researchers reported the issue to Lenovo. In response, Lenovo brought three obsolete versions of the device software back to enable customers to be able to continue using the devices while a patch was developed. "Lenovo's professional approach to vulnerability disclosure offers a good lesson for other organizations who experience similar challenges," the researchers said, continuing "not only did they have a clearly stated vulnerability disclosure policy on their site with contact information, but they responded quickly and worked with WhiteHat and Vertical Structure to understand the nature of the problem and quickly resolve it."

Further details about the vulnerability and Lenovo's resolution are available at Lenovo's Website.

If you have one of the devices concerned, then Lenovo is urging that you update the firmware as a matter of urgency.

Related Posts