Web application security specialists reported critical firmware-level vulnerability in Lenovo’s storage devices connected to network; if exploited, this flaw could compromise the security of the information of the users of these implementations.
The vulnerability exists only in some models of
network
attached storage (NAS) devices and allows unauthenticated users to
access and read data stored on these drives, in addition to their exploitation
being relatively exploited simple, through the Application Programming
Interface, mentioned the researchers who reported the flaw.
During early research, web application security
specialists found at least 5,100 vulnerable devices and more than 3 million
files exposed online; however, due to the extensive use of NAS equipment
manufactured by Lenovo, the number of users exposed could be much bigger.
It is estimated that the exposed information
could reach 40 terabytes; many of these exposed devices have already been
indexed by commonly used search engines, such as Google. According to reports,
some of the exposed folders contain sensitive information, such as payment card
details and other financial data.
On the other hand, the company notified users
of these devices about the failure, described as “a severe vulnerability
that allows authentication access to files on NAS shares”. Lenovo asks
users of vulnerable devices to install the firmware
update as soon as possible.
According to web application security experts,
in case the user is unable to update the firmware to the latest version at this
time, a possible workaround is to delete any public shares and only use the
device in a trusted network.
Specialists from the International Institute of
Cyber Security (IICS) explain that the firmware update released by Lenovo
changes fundamental aspects of the API and web interface of NAS devices to
improve the user experience. These updates should be a constant in the industry
because of the strong interest that information stored online arouses in threat
actor groups.
