Lenovo confirms faulty NAS drives exposed 36TB of sensitive data

data leak warning

Lenovo has confirmed that a vulnerability in one of its legacy network-attached storage (NAS) drives was the cause of a gigantic 36TB data leak.

The "trivially easy" to exploit vulnerability was found in a range of Lenovo-EMC NAS devices which allowed an unauthorised user to access the drive's contents through its application programming interface (API).

The issue was discovered by researchers noticing a "pattern of unmarked files that looked out of place" and further digging found the NAS drives in question "would leak information through specially crafted requests via an API but not through their web interface," said Bryan Becker, WhiteHat Security and Simon Whittaker, Vertical Structure in a report.

"The process is mind-blowingly simple and simply requires the user to hit a particular endpoint," said Simon Whittaker, director at Vertical Structure, speaking to IT Pro. "The attacker could write a script to find all relevant vulnerable NAS devices and then go out indexing and retrieving data from each one either in parallel or in series depending on how they want to proceed."

All the attacker would require to gain access to the files on the vulnerable NAS drives would be knowledge of the IP address, Whittaker explained.

"We didn't pursue further after finding the vulnerability to make sure that we didn't invade privacy of the people involved but I would suggest from the device models listed by Lenovo that it will be significantly higher than 5,114," he added.

The massive data haul breaks down into around 13,000 leaked spreadsheet files that were indexed by Google which contained more than three million individual files. It was found that a "significant amount contained sensitive financial information including card numbers and financial records".

Lenovo later confirmed the researchers' findings in a security advisory labelled 'highly severe'. The company has released a patch for the vulnerability but later said: "If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks".

Once Lenovo was made aware of the issue by researchers, the company brought three versions of its software out of retirement so users could continue to run their NAS drives securely while they patched the vulnerability. It then pulled old software from version control to investigate for any other potential issues with a view to releasing fixes and more updates.

If you're the owner of an affected NAS drive, of which there are 5,114 connected to the internet, according to Dark Reading, it's important to check for patches immediately to remediate the issue and stop attackers from accessing your sensitive data.

NAS drives are especially common among small businesses due to their cost-effectiveness, ease of use and small form factor, making for quick and easy deployment. They're also easily expandable with slots for multiple drives so the storage can scale as the business does.

"Network-attached storage devices are very popular in organisations, so a vulnerability like this one which allows anyone to access data held on these devices is indeed a high risk," said Javvad Malik, security awareness advocate at KnowBe4. "Many organisations struggle with setting access control lists properly and with the proliferation of such devices including the use of cloud-based storage services, the impact of misconfigured access increases exponentially.

"Users should install the firmware as part of the Lenovo advisory. But in addition to this, it is advisable to undertake periodic audits on all computers and devices storing sensitive data," he added. "This often requires that you first have a good inventory of where that data is. Make sure that all data stakeholders understand that sensitive data requires period file, folder and database permission auditing."

Lenovo has also been the subject of more security blunders in recent weeks. Researchers at Swascan published details of nine vulnerabilities in Lenovo's server infrastructure at the start of July, two of which were labelled "severe".

Of the vulnerabilities disclosed, one "could allow attackers to execute unexpected, dangerous commands directly on the operating system," read Swascan's report. "This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications."

"These vulnerabilities, if exploited, could have impacted the integrity, availability and confidentiality of the systems," it added.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.