Breaking News

Thermaltake Launches AW360/420 AIO Liquid Cooler and WAir CPU Cooler for Workstations be quiet! redefines versatility with new Light Base 500 LX and Light Base 500 PC cases Crucial’s UK promos for Amazon’s Prime Day Deals 2025 JEDEC Sets the Stage for the Next Leap in Flash Storage With UFS 5.0 MSI Launches Its First Back-Connection Graphics Card—GeForce RTX 5070 Ti 16G VENTUS 3X PZ Series

logo

Lenovo Vulnerability Left 36TB of Data Exposed

Lenovo Vulnerability Left 36TB of Data Exposed

Enterprise & IT 0

Security researchers from Vertical Structure and WhiteHat Security worked together to identify and verify a vulnerability in Lenovo-EMC storage products that left users of specific network-attached storage devices with 36TB of data exposed to anyone who went looking for it.

The researchers found "about 13,000 spreadsheet files indexed, with 36TB of data available. The number of files in the index from scanning totaled 3,030,106." Within these files, the report reveals, a "significant amount" with sensitive financial information including card numbers and financial records were found.

Lenovo has issued a security advisory which confirms that the firmware vulnerability "could allow an unauthenticated user to access files on NAS shares via the API." According to the researchers, it was "trivially easy" to exploit that application programming interface (API) and allow attackers to access the data stored upon any of several Lenovo-EMC network-attached storage (NAS) devices.

The investigation revealed at least 5,114 Iomega and LenovoEMC NAS devices connected to the Internet. It also appears that several of the impacted models had already reached end-of-life status, which meant that Lenovo no longer officially supported them.

The security researchers reported the issue to Lenovo. In response, Lenovo brought three obsolete versions of the device software back to enable customers to be able to continue using the devices while a patch was developed. "Lenovo's professional approach to vulnerability disclosure offers a good lesson for other organizations who experience similar challenges," the researchers said, continuing "not only did they have a clearly stated vulnerability disclosure policy on their site with contact information, but they responded quickly and worked with WhiteHat and Vertical Structure to understand the nature of the problem and quickly resolve it."

Further details about the vulnerability and Lenovo's resolution are available at Lenovo's Website.

If you have one of the devices concerned, then Lenovo is urging that you update the firmware as a matter of urgency.

Related Posts