Security researchers from Vertical Structure and WhiteHat Security worked together to identify and verify a vulnerability in Lenovo-EMC storage products that left users of specific network-attached storage devices with 36TB of data exposed to anyone who went looking for it.
The researchers found "about 13,000 spreadsheet files indexed, with 36TB of data available. The number of files in the index from scanning totaled 3,030,106." Within these files, the report reveals, a "significant amount" with sensitive financial information including card numbers and financial records were found.
Lenovo has issued a security advisory which confirms that the firmware vulnerability "could allow an unauthenticated user to access files on NAS shares via the API." According to the researchers, it was "trivially easy" to exploit that application programming interface (API) and allow attackers to access the data stored upon any of several Lenovo-EMC network-attached storage (NAS) devices.
The investigation revealed at least 5,114 Iomega and LenovoEMC NAS devices connected to the Internet. It also appears that several of the impacted models had already reached end-of-life status, which meant that Lenovo no longer officially supported them.
The security researchers reported the issue to Lenovo. In response, Lenovo brought three obsolete versions of the device software back to enable customers to be able to continue using the devices while a patch was developed. "Lenovo's professional approach to vulnerability disclosure offers a good lesson for other organizations who experience similar challenges," the researchers said, continuing "not only did they have a clearly stated vulnerability disclosure policy on their site with contact information, but they responded quickly and worked with WhiteHat and Vertical Structure to understand the nature of the problem and quickly resolve it."
Further details about the vulnerability and Lenovo's resolution are available at Lenovo's Website.
If you have one of the devices concerned, then Lenovo is urging that you update the firmware as a matter of urgency.