Jump to content

Flaw in Iomega, LenovoEMC NAS devices exposes millions of files on the Internet

Recommended Posts

A vulnerability in legacy Iomega and LenovoEMC network-attached storage (NAS) devices has led to many terabytes of potentially sensitive data being accessible to anyone via the Internet.


About Iomega and LenovoEMC


Iomega Corporation was acquired in 2008 by EMC. In 2013, Iomega became LenovoEMC – a joint venture between Lenovo and EMC Corporation – and Iomega’s products were rebranded under the new name. Iomega’s and LenovoEMC’s storage products were aimed at small and medium-sized businesses.


About the vulnerability (CVE-2019-6160)


CVE-2019-6160 affects a number of Iomega and LenovoEMC NAS products, which have reached End-of-Service-Life four years ago. 

The vulnerability stems from an unprotected API call and allows anyone to use Shodan to find vulnerable NAS devices and then simply download the exposed files by sending a specially crafted requests.


The data leak was discovered by a Vertical Structure researcher via Shodan, the search engine for Internet-connected devices, and the existence of the flaw was confirmed by WhiteHat Security researchers.


After getting notified and confirming the existence of the security issue, Lenovo has released firmware updates for three versions of its software, so that customers may safely continue using the NAS devices. 


“Lenovo then pulled old software from version control to investigate any other potential vulnerabilities to fix and release updates,” the researchers noted.


“Lenovo’s professional approach to vulnerability disclosure offers a good lesson for other organizations who experience similar challenges. Not only did they have a clearly stated vulnerability disclosure policy on their site with contact information, but they responded quickly and worked with WhiteHat and Vertical Structure to understand the nature of the problem and quickly resolve it.”


If you own an Iomega or LenovoEMC storage device, check out Lenovo’s security advisory and, if needed, implement the offered update.

“If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks,” Lenovo advised.


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...