LenovoEMC network storage hardware leaks sensitive data
LenovoEMC, formerly known as lomega, is a company owned by Lenovo for network-based storage services. It was founded in the 1980s and had seen sold more than 410 million digital storage drives and disks [1]. On July 16, 2019, a high-severity vulnerability was disclosed regarding its network-attached storage which could lead to a breach of data stored on the devices [2].
Why is it important?
It is crucial due to the number of people and businesses that can be potentially involved. This vulnerability would enable an unauthenticated user to access files on network-attached storage shares via the LenovoEMC application programming interface. It is known to impact models from enterprise-level StorCenter devices to personally-accessible Home Media Network Hard Drive [2][3]. As it is tied to the LenovoEMC API, it is also in theory remotely attackable.
Who is affected?
Any person or enterprise who owns a copy of LenovoEMC network attached storage hardware, more specifically, those models named under LenovoEMC StorCenter blade servers, Home Media Network Hard Drive, or StorCenter, will be directly affected [2][3]. Lenovo is currently working on resolving the issue, in the meantime, partial protection can be accomplished by using the device only on trusted networks, and turning off public shares, but it limits capability [2].
What impact might it have on people?
Any of the data stored on these network drives can be exposed, these can include sensitive financial information such as personal card numbers and transaction records. In fact, the vulnerability was discovered by researchers who stumbled on 36 terabytes of data which already includes this sensitive information [2]. It compromises confidentiality and causes a violation of privacy, which could lead to a giant loss of an individual or a company.
What were the causes?
This vulnerability is the source of a bug that showed up after a search on Shodan, a product intended to recognize network security flaws [3]. After examinations, WhiteHat Security found that this vulnerability was attached to the LenovoEMC API. Essentially, the API is totally unauthenticated and provided the capability to list, access and retrieve the files remotely in a trivial manner [3]. More importantly, this vulnerability exists at the firmware layer, which is not feasible to update immediately. It is comprehended that the fix will include fundamental changes to the API and the web interface [3].
How might similar problems be prevented in the future?
It is noted that this vulnerability is not founded by a hacker, but by researchers and software that monitor network security. The search on Shodan was executed in the fall of 2018, at that time, a Vertical Structure employee was able to discover a pattern of unmarked files that looked out of place [3]. Once Lenovo confirmed that there was an issue, they clearly stated the issue on their website and provided several options which customers can do to protect themselves before the formal release of a patch [4]. Lenovo’s professional approach to vulnerability disclosure greatly reduced the possibility of the vulnerability being exploited by an attacker. Other organizations who might encounter similar challenges should learn from it.
Some questions for discussion:
If a company using LenovoEMC network drives have their users’ password leaked due to this vulnerability, do you think Lenovo should be held responsible? If so, how?
Nowadays, we desire many of the stuff to be remotely accessible, from servers to storage hardware to gamming services today, like Google Stadia. Do you think this opens more opportunity for hackers to attack? If so, what are your options on these network-based services?
References:
[1] https://californiananoeconomy.org/content/lenovoemc
[2] https://support.lenovo.com/ca/en/product_security/len-25557
[3] https://threatpost.com/lenovoemc-storage-leak-financial-data/146494/
[4] https://www.whitehatsec.com/blog/best-practices-in-identifying-and-remediating-vulnerabilities/
