LenovoEMC Storage Gear Leaks Sensitive Financial Data

LenovoEMC Storage Gear bug

Lenovo patches enterprise and SMB network attached storage devices for a vulnerability that leaked data to the public internet.

Researchers are warning of a vulnerability in LenovoEMC storage hardware and legacy Iomega-branded network attached storage (NAS) appliances that could lead to a breach of data stored on the devices. The bug, disclosed Tuesday by Lenovo, is rated high-severity and can be triggered via specially crafted requests made to the hardware’s application programming interface.

The vulnerability was discovered by researchers who stumbled on 36 terabytes of data, which included sensitive financial information such as payment-card numbers and financial records.

“In the fall of 2018, during a search on Shodan.io, software designed to monitor network security, a Vertical Structure employee discovered a pattern of unmarked files that looked out of place,” wrote researchers who reported the bug, in a blog about their research Tuesday.

After the Vertical Structure employee found the bug, it notified WhiteHat Security to help with the investigation. WhiteHat Security found that, unlike many previous leaky cloud-based data stores or NAS devices with leaky web interfaces, this vulnerability was tied to the LenovoEMC application programming interface (API).

“The API is completely unauthenticated and provided the ability to list, access and retrieve the files remotely in a trivial manner. It is similar to millions of open s3 buckets being discovered,” wrote researchers in an email-based interview with Threatpost. “The vulnerability exists at the firmware layer. The issue is with the NAS firmware, which requires the update. It is understood that the patch created fundamentally changes the API and web interface to secure it.”

A disclosure timeline was not made available, however researchers said that once Lenovo was made aware of the vulnerability it moved fast to mitigate the issue. Also not made available were the technical specifics of the vulnerability. The Lenovo security bulletin would only state that the bug “could allow an unauthenticated user to access files on NAS shares via the API.”

Models impacted are LenovoEMC StorCenter blade servers (Px12-350R and ix12-300r), Home Media Network Hard Drive (Cloud Edition 3.2.16.30221) and the company’s Iomega-branded NAS devices – StorCenter ix2-200, ix4-200d and ix4-200rl and StorCenter (cloud edition) ix2-200 and ix4-200d.

“In discovering this vulnerability, Lenovo pulled three versions of its software out of retirement and brought them back so their customers could continue to utilize their technologies while they patched the vulnerability,” according the blog post. “Lenovo then pulled old software from version control to investigate any other potential vulnerabilities to fix and release updates.”

On July 1, researcher at Swascan discovered nine vulnerabilities related to the servers/application of Lenovo’s infrastructure. And last year, Lenovo tackled nine bugs in its LenovoEMC and legacy Iomega devices impacting 20 NAS models. Vulnerable devices include eight LenovoEMC NAS (PX) models, nine Iomega StoreCenter (PX and IX) models and the Lenovo branded devices; ix4-300d, ix2 and EZ Media and Backup Center. Last year’s bugs, found by ISE Labs, were also tied to authentication issues.

Suggested articles