Advisory Overview
Several different Lenovo-EMC Network Attached Storage (NAS) devices – including those from the Iomega NAS device line – have critical vulnerabilities that must be patched. These devices, if left unpatched, have the ability to allow a threat actor to view and possibly alter and/or steal data in file shares. Patches and Firmware Updates already exist to correct this vulnerability for all currently supported devices, and should be applied as soon as possible.
Technical detail and additional information:
What is the threat?
Researchers have found a high-severity vulnerability in Lenovo-EMC Storage hardware and Iomega-branded Network Attached Storage (NAS) appliances that can give remote attackers access to files stored on these devices.This Vulnerability allows “an authenticated user to gain access to the files stored on the devices by sending a specially crafted request via an API”. Of note, the API’son some impacted devices donot require authentication in all cases, and as such the vulnerability may be wider spread than first thought.
Why is this noteworthy?
Security researchers have estimated that in one instances of breach; 36 terabytes of data wereleaked compromising 3,030,106 files. These files contain a significant amount of classified financial information including financial records and credit card numbers. These files were stored on the devices wereaccessed through an API (Application Programming Interface) request. The API in question may beunauthenticated; and can have the ability to list, access and retrieve the files remotely if the NAS is exposed to the Internet – even if the shares are not specifically public.
What is the exposure or risk?
Attackers can easily scan the web for vulnerable devices and send a malicious request to the target device’s IP address. Attackers can also create a script to automate the attack and retrieve data from vulnerable devices. This vulnerability allows anyone to use Shodan (a search engine for Internet-connected devices) to find vulnerable NAS devices.
What are the recommendations?
Lenovo has released a Security Advisory for this vulnerability (LEN – 25557). The Advisory link is proved in the References section of this document. As most of these devices have reached End of Life, Lenovo no longer provides support for every device impacted. If you have one of the devices impacted, we recommend one of the following steps be taken immediately:
- Users should update the appliance firmware level to latest version available for their appliance/device.
- If it is not feasible to update the firmware, users should remove public shares and use the device only on trusted networks. Devices should have no connectivity to the Internet or other public networks at all. While this only limits exposure, this workaround can partially protect the device. If no firmware update is available because the appliance has reached End of Life, upgrading to a new appliance is the only way to gain full protection.
References:
For more in-depth information about the recommendations, please visit the following link:
https://threatpost.com/lenovoemc-storage-leak-financial-data/146494/
https://www.securityweek.com/thousands-legacy-lenovo-storage-devices-exposed-millions-files
Lenovo Security Advisory for the vulnerability:
https://support.lenovo.com/us/en/product_security/LEN-25557
If you have any questions, please contact our Security Operations Center.