Jump to content

Flaw in Iomega, LenovoEMC NAS devices exposes millions of files on the Internet


straycat19

Recommended Posts

A vulnerability in legacy Iomega and LenovoEMC network-attached storage (NAS) devices has led to many terabytes of potentially sensitive data being accessible to anyone via the Internet.

 

About Iomega and LenovoEMC

 

Iomega Corporation was acquired in 2008 by EMC. In 2013, Iomega became LenovoEMC – a joint venture between Lenovo and EMC Corporation – and Iomega’s products were rebranded under the new name. Iomega’s and LenovoEMC’s storage products were aimed at small and medium-sized businesses.

 

About the vulnerability (CVE-2019-6160)

 

CVE-2019-6160 affects a number of Iomega and LenovoEMC NAS products, which have reached End-of-Service-Life four years ago. 

The vulnerability stems from an unprotected API call and allows anyone to use Shodan to find vulnerable NAS devices and then simply download the exposed files by sending a specially crafted requests.

 

The data leak was discovered by a Vertical Structure researcher via Shodan, the search engine for Internet-connected devices, and the existence of the flaw was confirmed by WhiteHat Security researchers.

 

After getting notified and confirming the existence of the security issue, Lenovo has released firmware updates for three versions of its software, so that customers may safely continue using the NAS devices. 

 

“Lenovo then pulled old software from version control to investigate any other potential vulnerabilities to fix and release updates,” the researchers noted.

 

“Lenovo’s professional approach to vulnerability disclosure offers a good lesson for other organizations who experience similar challenges. Not only did they have a clearly stated vulnerability disclosure policy on their site with contact information, but they responded quickly and worked with WhiteHat and Vertical Structure to understand the nature of the problem and quickly resolve it.”

 

If you own an Iomega or LenovoEMC storage device, check out Lenovo’s security advisory and, if needed, implement the offered update.

“If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks,” Lenovo advised.
 

Source

Link to comment
Share on other sites


  • Views 446
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...