Lenovo Confirms Breach; 36TB of Data Exposed Due to Vulnerability in Some NAS Devices
Lenovo confirmed recently that there is a “high severity” flaw in some of its network attached storage devices (NAS). Unfortunately, this flaw caused the exposure of some 36 terabytes of data covering over 13,000 spreadsheet files. Even worse, the information included was confidential information such as financial records and payment card numbers. But wait! There is even more! Some of the vulnerable devices have hit the end of their lifecycles, which means Lenovo doesn’t support them.
There is some good news, however. First, Lenovo will be bringing back three formerly obsolete software packages to support the older devices until it can develop a patch for this. Also good, Lenovo has been lauded for acting quickly and professionally to address the issue. When customers receive the patches for the products, they should be sure to install them immediately.
However, if you are still using any unsupported devices, it’s strongly advised to replace them with newer and supported models. In this case, Lenovo is supporting them for the short term due to the seriousness of the issue. However, that isn’t the case for many other manufacturers. In addition, all products should be kept updated with all software and firmware patches as soon as they are released.
If it isn’t feasible to do this for the affected devices, Lenovo stated in the security advisory related to this that “partial protection can be achieved by removing any public shares and using the device only on trusted networks.”
The list of affected products includes:
Px120350r and ix12-300r, version 18.104.22.168808
HMNHD (Home Media Network Hard Drive) Cloud Edition, version 22.214.171.124221
StorCenter ix2-200, Cloud Edition, version 126.96.36.199221
StorCenter ix4-200d, Cloud Edition, version 188.8.131.52221
StorCenter ix2-200, version 184.108.40.206227
StorCenter ix4-200d, version 220.127.116.11227
StorCenter ix4-200rl, version 18.104.22.168221
For complete information on the vulnerability, you can also look up CVE-2019-6160. Lenovo also advises customers with Iomega or LenovoEMC storage device to check the security advisory for more information.