Lenovo Confirms Breach; 36TB of Data Exposed Due to Vulnerability in Some NAS Devices

Lenovo confirmed recently that there is a “high severity” flaw in some of its network attached storage devices (NAS). Unfortunately, this flaw caused the exposure of some 36 terabytes of data covering over 13,000 spreadsheet files. Even worse, the information included was confidential information such as financial records and payment card numbers. But wait! There is even more! Some of the vulnerable devices have hit the end of their lifecycles, which means Lenovo doesn’t support them.

There is some good news, however. First, Lenovo will be bringing back three formerly obsolete software packages to support the older devices until it can develop a patch for this. Also good, Lenovo has been lauded for acting quickly and professionally to address the issue. When customers receive the patches for the products, they should be sure to install them immediately.

However, if you are still using any unsupported devices, it’s strongly advised to replace them with newer and supported models. In this case, Lenovo is supporting them for the short term due to the seriousness of the issue. However, that isn’t the case for many other manufacturers. In addition, all products should be kept updated with all software and firmware patches as soon as they are released.

If it isn’t feasible to do this for the affected devices, Lenovo stated in the security advisory related to this that “partial protection can be achieved by removing any public shares and using the device only on trusted networks.”

The list of affected products includes:

  • Px120350r and ix12-300r, version 4.0.24.34808
  • HMNHD (Home Media Network Hard Drive) Cloud Edition, version 3.2.16.30221
  • StorCenter ix2-200, Cloud Edition, version 3.2.16.30221
  • StorCenter ix4-200d, Cloud Edition, version 3.2.16.30221
  • StorCenter ix2-200, version 2.1.50.30227
  • StorCenter ix4-200d, version 2.1.50.30227
  • StorCenter ix4-200rl, version 2.1.50.30221

For complete information on the vulnerability, you can also look up CVE-2019-6160. Lenovo also advises customers with Iomega or LenovoEMC storage device to check the security advisory for more information.