The "trivially easy" to exploit vulnerability found on NAS devices allow unauthorized users to access the drive's contents through its application programming interface (API). This high-severity bug can be triggered via specially crafted requests made via an API but not through their web interface.
Researcher Bryan Becker, WhiteHat Security and Simon Whittaker, Vertical Structure said in their report that during their research they found "about 13,000 spreadsheet files indexed, with 36TB of data available. The number of files in the index from scanning totalled 3,030,106." Within these files, the report reveals, a "significant amount" with sensitive financial information including card numbers and financial records were found.
All the attacker would require to gain access to the files on the vulnerable NAS drives would be knowledge of the IP address, Whittaker explained.After finding this massive leaky bug, they decide to go with WhiteHat security to help with the investigation. Lenovo has also confirmed the bug and released a security advisory with the labelled 'Highly Severe'. At the meantime, Lenovo has released a patch for the vulnerability but later said: "If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks".
After getting notify for the trivial bug, the company brought three versions of its software out of retirement so users could continue to run their NAS drives securely while they patched the vulnerability. It then pulled old software from version control to investigate for any other potential issues with a view to releasing fixes and more updates.
Models impacted are LenovoEMC StorCenter blade servers (Px12-350R and ix12-300r), Home Media Network Hard Drive (Cloud Edition 188.8.131.52221) and the company’s Iomega-branded NAS devices – StorCenter ix2-200, ix4-200d and ix4-200rl and StorCenter (cloud edition) ix2-200 and ix4-200d.
Lenovo recommends all its NAS drive (which are 5,114 in count) to check for patches immediately to remediate the issue and stop attackers from accessing your sensitive data.
In the early of this month, Lenovo had got notification of nine vulnerabilities related to the servers/application of Lenovo’s infrastructure from researchers at Swascan.