An analysis conducted by researchers at Vertical Structure and WhiteHat Security allowed discovering a vulnerability in discontinued Iomega/Lenovo NAS devices, tracked as CVE-2019-6160, that exposed millions of files.
The discovery was made in the fall of 2018 querying the Shodan search engine and revealed 5,114 devices storing over 3 million files. The issue exposed roughly 20,000 documents, 13,000 spreadsheets, 13,000 text files and 405,000 pictures. Some of the documents contained sensitive information, including card numbers and financial records.
The experts believe the actual number of exposed systems could be much greater because they were able to identify only 5,114 devices.
“Vertical Structure was able to find about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106.” states a blog post published by WhiteHat Security.
“Within these files, there was a significant amount of files with sensitive financial card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded Lenovo-EMC in a joint venture.”
The vulnerability could have been exploited by a remote, unauthenticated attacker to access the files stored on the NAS devices by sending a specially crafted request via an API that was not protected with any authentication mechanism. The experts pointed out that the devices did not leak data through their web interface.
The exploitation of the issue could be automated by developing a script that scans the internet for vulnerable Iomega/Lenovo NAS devices and sends crafted requests to the vulnerable ones.
After the researchers from Vertical Structure and WhiteHat reported their findings to Lenovo, the company pulled three versions of the affected software out of retirement to solve the issue.
“A vulnerability in Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.” reads the advisory published by Lenovo.
In October 2018, experts at Lenovo discovered nine vulnerabilities affecting discontinued Iomega and LenovoEMC NAS devices that could be exploited by unauthenticated attackers to access protected content.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – NAS devices, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
U.S. CISA added the Windows Print Spooler flaw CVE-2022-38028 to its Known Exploited Vulnerabilities catalog.…
The U.S. Department of Justice (DoJ) announced the arrest of two co-founders of a cryptocurrency mixer…
Google addressed a critical Chrome vulnerability, tracked as CVE-2024-4058, that resides in the ANGLE graphics…
Nation-state actor UAT4356 has been exploiting two zero-days in ASA and FTD firewalls since November…
A malware campaign has been exploiting the updating mechanism of the eScan antivirus to distribute…
The Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned four Iranian nationals for their…
This website uses cookies.