An analysis conducted by researchers at Vertical Structure and WhiteHat Security allowed discovering a vulnerability in discontinued Iomega/Lenovo NAS devices, tracked as CVE-2019-6160, that exposed millions of files.
The discovery was made in the fall of 2018 querying the Shodan search engine and revealed 5,114 devices storing over 3 million files. The issue exposed roughly 20,000 documents, 13,000 spreadsheets, 13,000 text files and 405,000 pictures. Some of the documents contained sensitive information, including card numbers and financial records.
The experts believe the actual number of exposed systems could be
“Vertical Structure was able to find about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106.” states a blog post published by WhiteHat Security.
“Within these files, there was a significant amount of files with sensitive financial card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded Lenovo-EMC in a joint venture.”
The vulnerability could have been exploited by a remote,
The exploitation of the issue could be automated by developing a script that scans the internet for vulnerable Iomega/Lenovo NAS devices and sends crafted requests to the vulnerable ones.
After the researchers
“A vulnerability in Iomega and LenovoEMC NAS products could allow an
In October 2018, experts at Lenovo discovered nine vulnerabilities affecting discontinued Iomega and LenovoEMC NAS devices that could be exploited by
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.