Patch now before you get your NAS kicked: Iomega storage boxes leave millions of files open to the internet

API blunder exposes data, fix incoming from Lenovo


Lenovo is emitting an emergency firmware patch for Iomega NAS devices after the network-attached storage boxes were discovered inadvertently offering millions of files to the internet via an insecure software interface.

Infosec outfits Vertical Structure, based in the Northern Ireland, and WhiteHat Security, headquartered in Silicon Valley, together found and reported the vulnerability to Lenovo, we're told. If you're thinking, wow, Iomega, I didn't know they were still going: EMC bought it in 2008, and in 2013, a Lenovo-EMC joint-venture rebooted the brand as LenovoEMC gear.

We're told this file-leaking flaw was discovered last autumn by a Vertical Structure employee who found a strange bunch of files showing up in search results on Shodan.io, a website for finding all sorts of public-facing systems, from bog-standard web servers to power plant equipment and Internet-of-Things gizmos.

After some digging, Vertical Structure concluded the documents were being offered to the internet, without any password or other authentication checks, via an unprotected API call: an interface used by software to talk to each other. That means anyone aware of the API and its security shortcomings could have searched Shodan for vulnerable public-facing Iomega NAS drives, and siphoned off strangers' file systems.

"The API is completely unauthenticated and provided the ability to list, access, and retrieve the files remotely in a trivial manner," Vertical Structure director Simon Whittaker told El Reg on Monday. "It is similar to millions of open [AWS] S3 buckets being discovered."

Amazon's answer to all those leaky AWS S3 buckets: A dashboard warning light

READ MORE

The API was eventually tracked down to an older set of Iomega NAS boxes that were, via the dodgy interface, leaving millions of files exposed to the web. It appears the API is provided to share files over the network, as you'd expect from a network-attached storage device. Unfortunately, however, this API can be accessed without any password, which is super-bad news for those facing the public internet, as many were and still are.

"Vertical Structure was able to find about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106," Vertical Structure and WhiteHat said in a summary of the bug, shared with El Reg ahead of its public distribution on Tuesday.

"Within these files, there was a significant amount of files with sensitive financial information including card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded LenovoEMC in a joint venture."

Of those three million files, Whittaker said 405,398 were images, 20,055 were documents, 13,677 were spreadsheets, and 13,972 were text documents.

After realizing the extent of the exposure, Vertical Structure called in WhiteHat, who ran their own investigation on the leak, and confirmed that public-facing Iomega-LenovoEMC devices were in fact spewing data onto the internet.

The two companies then alerted Lenovo to the problem, and the vendor responded by bringing the software out of retirement to address the bug. Details of the API flaw were not shared as the patch for the hole has only just landed, we understand.

In short, check you're running the latest firmware on your Iomega or LenovoEMC NAS box in order to protect against attack. Lenovo declined to comment, although a spokesperson told us it will release customer advisory on Tuesday with more information. We imagine the memo will appear here at some point. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Will Lenovo ever think beyond hardware?
    Then again, why develop your own software à la HPE GreenLake when you can use someone else's?

    Analysis Lenovo fancies its TruScale anything-as-a-service (XaaS) platform as a more flexible competitor to HPE GreenLake or Dell Apex. Unlike its rivals, Lenovo doesn't believe it needs to mimic all aspects of the cloud to be successful.

    While subscription services are nothing new for Lenovo, the company only recently consolidated its offerings into a unified XaaS service called TruScale.

    On the surface TruScale ticks most of the XaaS boxes — cloud-like consumption model, subscription pricing — and it works just like you'd expect. Sign up for a certain amount of compute capacity and a short time later a rack full of pre-plumbed compute, storage, and network boxes are delivered to your place of choosing, whether that's a private datacenter, colo, or edge location.

    Continue reading
  • Lenovo reveals small but mighty desktop workstation
    ThinkStation P360 Ultra packs latest Intel Core processor, Nvidia RTX A5000 GPU, support for eight monitors

    Lenovo has unveiled a small desktop workstation in a new physical format that's smaller than previous compact designs, but which it claims still has the type of performance professional users require.

    Available from the end of this month, the ThinkStation P360 Ultra comes in a chassis that is less than 4 liters in total volume, but packs in 12th Gen Intel Core processors – that's the latest Alder Lake generation with up to 16 cores, but not the Xeon chips that we would expect to see in a workstation – and an Nvidia RTX A5000 GPU.

    Other specifications include up to 128GB of DDR5 memory, two PCIe 4.0 slots, up to 8TB of storage using plug-in M.2 cards, plus dual Ethernet and Thunderbolt 4 ports, and support for up to eight displays, the latter of which will please many professional users. Pricing is expected to start at $1,299 in the US.

    Continue reading

Biting the hand that feeds IT © 1998–2022