Flaw in Iomega, LenovoEMC NAS devices exposes millions of files on the Internet

A vulnerability in legacy Iomega and LenovoEMC network-attached storage (NAS) devices has led to many terabytes of potentially sensitive data being accessible to anyone via the Internet.

About Iomega and LenovoEMC

Iomega Corporation was acquired in 2008 by EMC. In 2013, Iomega became LenovoEMC – a joint venture between Lenovo and EMC Corporation – and Iomega’s products were rebranded under the new name. Iomega’s and LenovoEMC’s storage products were aimed at small and medium-sized businesses.

About the vulnerability (CVE-2019-6160)

CVE-2019-6160 affects a number of Iomega and LenovoEMC NAS products, which have reached End-of-Service-Life four years ago.

The vulnerability stems from an unprotected API call and allows anyone to use Shodan to find vulnerable NAS devices and then simply download the exposed files by sending a specially crafted requests.

The data leak was discovered by a Vertical Structure researcher via Shodan, the search engine for Internet-connected devices, and the existence of the flaw was confirmed by WhiteHat Security researchers.

After getting notified and confirming the existence of the security issue, Lenovo has released firmware updates for three versions of its software, so that customers may safely continue using the NAS devices.

“Lenovo then pulled old software from version control to investigate any other potential vulnerabilities to fix and release updates,” the researchers noted.

“Lenovo’s professional approach to vulnerability disclosure offers a good lesson for other organizations who experience similar challenges. Not only did they have a clearly stated vulnerability disclosure policy on their site with contact information, but they responded quickly and worked with WhiteHat and Vertical Structure to understand the nature of the problem and quickly resolve it.”

If you own an Iomega or LenovoEMC storage device, check out Lenovo’s security advisory and, if needed, implement the offered update.

“If it is not feasible to update the firmware immediately, partial protection can be achieved by removing any public shares and using the device only on trusted networks,” Lenovo advised.

UPDATE (August 20, 2019, 4:05 a.m. PT):

Researcher Rafael Pedrero has discovered an additional information leakage vulnerability in Iomega and LenovoEMC NAS products that could allow disclosure of some device details such as Share names through the device API when Personal Cloud is enabled.

“There is no patch for CVE-2019-6178. To protect your device against this vulnerability, disable Personal Cloud. If Personal Cloud is enabled, avoid using sensitive share names and only use the device on trusted networks,” Lenovo urges.