Davey Winder Senior Contributor
Yang Yuanqing, chairman and chief executive officer of Lenovo Group, attends a news conference in Hong Kong, Thursday, May 23, 2019. © 2019 Bloomberg Finance LP
Lenovo has confirmed that a “high severity” security vulnerability has left users of specific network-attached storage devices with data exposed to anyone who went looking for it. How much data? How does at least 36TB grab you? That’s the number that the security researchers who uncovered the vulnerability in the Lenovo-EMC storage products put on the data leak at the time of the discovery.
According to the Vertical Structure report, security researchers found “about 13,000 spreadsheet files indexed, with 36TB of data available. The number of files in the index from scanning totaled 3,030,106.” Within these files, the report reveals, a “significant amount” with sensitive financial information including card numbers and financial records were found.
Lenovo has now issued a security advisory which confirms that the firmware vulnerability “could allow an unauthenticated user to access files on NAS shares via the API.” According to the researchers, it was “trivially easy” to exploit that application programming interface (API) and allow attackers to access the data stored upon any of several Lenovo-EMC network-attached storage (NAS) devices. The full list of devices impacted by this vulnerability can be found in the Lenovo security advisory.
Security vulnerability verified by WhiteHat Security
The investigation, which was carried out jointly between Vertical Structure and WhiteHat Security, revealed at least 5,114 Iomega and LenovoEMC NAS devices connected to the Internet according to Dark Reading. It also appears that several of the impacted models had already reached end-of-life status, which meant that Lenovo no longer officially supported them.
WhiteHat’s team of application security engineers at its threat research center verified the initial findings from Vertical Structure and confirmed the vulnerability which was reported to Lenovo. In response, Lenovo brought three obsolete versions of the device software back to enable customers to be able to continue using the devices while a patch was developed. “Lenovo’s professional approach to vulnerability disclosure offers a good lesson for other organizations who experience similar challenges,” the researchers said, continuing “not only did they have a clearly stated vulnerability disclosure policy on their site with contact information, but they responded quickly and worked with WhiteHat and Vertical Structure to understand the nature of the problem and quickly resolve it.”
What does Lenovo advise?
If you have one of the devices concerned, then Lenovo is urging that you update the firmware as a matter of urgency. “Users should update to the firmware level or later described for your system in the Product Impact section,” Lenovo advised, “if it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks.”
I asked Simon Whittaker, cybersecurity director at Vertical Structures, about the problems of having legacy devices within a commercial setting. “This is definitely a huge problem but one which we see every day,” he says “many organizations fear change and are cautious about retiring old devices.” Whittaker also points out that it is more challenging to keep sticking plasters on security issues than it is to replace the item entirely. The problem being, as Simon Whittaker points out, is that as far as patches and updates are concerned, all too often when devices “become end of life, they can be forgotten about completely.”
“If they can’t replace devices,” Whittaker concludes, “then they should be using threat modeling techniques to consider how better to protect them and ideally removing them from internet access completely.”
More Lenovo security problems
It’s not been the best few weeks for Lenovo as far as security problems are concerned. This latest disclosure comes hot on the heels of the news from researchers at Swascan that a total of nine vulnerabilities, two high severity, and the rest medium, had been found in Lenovo’s server infrastructure. “These vulnerabilities, if exploited, could have impacted the integrity, availability, and confidentiality of the systems,” Swascan said. It also noted that all the problems have now been fixed and praised “Lenovo’s attention to our discoveries together with the email exchanges, the evaluations, the remediation activities, and the resolution times,” as being “among the most serious, professional, and transparent that we have witnessed in our careers.”
And just this week, it has also been reported that servers built by Lenovo, as well as those made by Gigabyte and a bunch of other manufacturers including Acer, had firmware vulnerabilities. The BMC firmware was the common denominator between the systems, and it was here the vulnerabilities were found. Those vulnerabilities could potentially enable an attacker to inject malware that would, effectively, be hidden “deep below the operating system, hypervisor, and antivirus,” where it could survive reboots or even replacement of storage drives according to The Register.
Lenovo has issued an advisory which confirms “that in certain legacy Lenovo ThinkServer-branded servers, a command injection vulnerability exists in the BMC firmware download command.” As well as patches to fix the vulnerability, Lenovo advised customers to “restrict authorized privileged access to trusted administrators” only.
A Lenovo spokesperson provided me with the following statement regarding the data leak vulnerability: “The issue has been mitigated and customers who apply the update described in Security Advisory LEN-25557 are not at risk.”
In a later statement, referring to the ThinkServer-branded servers issue, the spokesperson added: “The issue with these legacy products has been mitigated since November, with further guidance provided to customers in Security Advisory LEN-23836.”