Breaking News

SAMA Expands CPU Cooling Lineup with A60 and A40 Series Air Coolers for Gaming and Creator PCs The Lockerstor 12R Pro Gen2 and 16R Pro Gen2 are Here! TRUSTA Highlights SSD Power Efficiency for AI Servers at OCP APAC 2025 XPG Launches VALOR NANO Compact Cases with the All-New PYMCORE SFX PSU Speedlink announces illuminated mechanical 60% gaming keyboard

logo

Lenovo Vulnerability Left 36TB of Data Exposed

Lenovo Vulnerability Left 36TB of Data Exposed

Enterprise & IT 0

Security researchers from Vertical Structure and WhiteHat Security worked together to identify and verify a vulnerability in Lenovo-EMC storage products that left users of specific network-attached storage devices with 36TB of data exposed to anyone who went looking for it.

The researchers found "about 13,000 spreadsheet files indexed, with 36TB of data available. The number of files in the index from scanning totaled 3,030,106." Within these files, the report reveals, a "significant amount" with sensitive financial information including card numbers and financial records were found.

Lenovo has issued a security advisory which confirms that the firmware vulnerability "could allow an unauthenticated user to access files on NAS shares via the API." According to the researchers, it was "trivially easy" to exploit that application programming interface (API) and allow attackers to access the data stored upon any of several Lenovo-EMC network-attached storage (NAS) devices.

The investigation revealed at least 5,114 Iomega and LenovoEMC NAS devices connected to the Internet. It also appears that several of the impacted models had already reached end-of-life status, which meant that Lenovo no longer officially supported them.

The security researchers reported the issue to Lenovo. In response, Lenovo brought three obsolete versions of the device software back to enable customers to be able to continue using the devices while a patch was developed. "Lenovo's professional approach to vulnerability disclosure offers a good lesson for other organizations who experience similar challenges," the researchers said, continuing "not only did they have a clearly stated vulnerability disclosure policy on their site with contact information, but they responded quickly and worked with WhiteHat and Vertical Structure to understand the nature of the problem and quickly resolve it."

Further details about the vulnerability and Lenovo's resolution are available at Lenovo's Website.

If you have one of the devices concerned, then Lenovo is urging that you update the firmware as a matter of urgency.

Related Posts