A flaw in discontinued Iomega/Lenovo NAS devices exposed millions of files

Experts at Vertical Structure and WhiteHat Security discovered a serious flaw that exposed millions of files stored on thousands of exposed Lenovo NAS devices.

An analysis conducted by researchers at Vertical Structure and WhiteHat Security allowed discovering a vulnerability in discontinued Iomega/Lenovo NAS devices, tracked as CVE-2019-6160, that exposed millions of files.

The discovery was made in the fall of 2018 querying the Shodan search engine and revealed 5,114 devices storing over 3 million files. The issue exposed roughly 20,000 documents, 13,000 spreadsheets, 13,000 text files and 405,000 pictures. Some of the documents contained sensitive information, including card numbers and financial records.

The experts believe the actual number of exposed systems could be much greater because they were able to identify only 5,114 devices.

“Vertical Structure was able to find about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106.” states a blog post published by WhiteHat Security.

“Within these files, there was a significant amount of files with sensitive financial card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded Lenovo-EMC in a joint venture.”

The vulnerability could have been exploited by a remote, unauthenticated attacker to access the files stored on the NAS devices by sending a specially crafted request via an API that was not protected with any authentication mechanism. The experts pointed out that the devices did not leak data through their web interface.

The exploitation of the issue could be automated by developing a script that scans the internet for vulnerable Iomega/Lenovo NAS devices and sends crafted requests to the vulnerable ones.

After the researchers from Vertical Structure and WhiteHat reported their findings to Lenovo, the company pulled three versions of the affected software out of retirement to solve the issue.

“A vulnerability in Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.” reads the advisory published by Lenovo.

In October 2018, experts at Lenovo discovered nine vulnerabilities affecting discontinued Iomega and LenovoEMC NAS devices that could be exploited by unauthenticated attackers to access protected content.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – NAS devices, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]