Iomega StorCenter & Lenovo EMC NAS devices are leaking users’ information

Web application security specialists reported critical firmware-level vulnerability in Lenovo’s storage devices connected to network; if exploited, this flaw could compromise the security of the information of the users of these implementations.

The vulnerability exists only in some models of network attached storage (NAS) devices and allows unauthenticated users to access and read data stored on these drives, in addition to their exploitation being relatively exploited simple, through the Application Programming Interface, mentioned the researchers who reported the flaw.

During early research, web application security specialists found at least 5,100 vulnerable devices and more than 3 million files exposed online; however, due to the extensive use of NAS equipment manufactured by Lenovo, the number of users exposed could be much bigger.  

It is estimated that the exposed information could reach 40 terabytes; many of these exposed devices have already been indexed by commonly used search engines, such as Google. According to reports, some of the exposed folders contain sensitive information, such as payment card details and other financial data.

On the other hand, the company notified users of these devices about the failure, described as “a severe vulnerability that allows authentication access to files on NAS shares”. Lenovo asks users of vulnerable devices to install the firmware update as soon as possible.

According to web application security experts, in case the user is unable to update the firmware to the latest version at this time, a possible workaround is to delete any public shares and only use the device in a trusted network.

Specialists from the International Institute of Cyber Security (IICS) explain that the firmware update released by Lenovo changes fundamental aspects of the API and web interface of NAS devices to improve the user experience. These updates should be a constant in the industry because of the strong interest that information stored online arouses in threat actor groups.