Vertical Structure and WhiteHat partner on Lenovo Vulnerability Disclosure... [read more]

Best Practices in Identifying and Remediating Vulnerabilities

By Bryan Becker, WhiteHat Security and Simon Whittaker, Vertical Structure

The Journey to Remediating a Lenovo Vulnerability that Left 36TB of Data Exposed

It’s in the nature of cybersecurity that every technology vendor and service provider is vulnerable to security breaches and attacks in some form. But whether it’s Microsoft, Google, Amazon or Facebook, how organizations react to a problem can be just as important as the steps they take to prevent them.

In the past decade, we have all seen dozens of tech giants fall victim to devastating data breaches and crippling vulnerabilities with cyberattacks becoming the fastest-growing crime in the U.S. In WhiteHat’s 2018 Application Security Statistics Report, it was discovered:

  • Windows of Exposure saw a 33 percent increase from last year
  • Time to fix vulnerabilities saw a 2 percent increase
  • Remediation rate for companies remained stagnant

This data underlines how every organization can be affected by an outside adversary or data leak even with security barriers in place.

In this article, we’ll take a closer look at how research partners Vertical Structure and WhiteHat Security worked together to identify and verify a vulnerability, and then notify and work with the vendor to quickly and effectively remediate the issue and protect customers.

How the Vulnerability was Discovered

In the fall of 2018, during a search on Shodan.io, software designed to monitor network security, a Vertical Structure employee discovered a pattern of unmarked files that looked out of place. After some investigating, the researcher found external hard drives that would leak information through specially crafted requests via an API but not through their web interface. Initial estimates showed that many terabytes of data were exposed

While Google had already indexed a number of these devices, Vertical Structure decided to investigate a bit further to find out what kind of information was being compromised.

Vertical Structure was able to find about 13,000 spreadsheet files indexed, with 36 terabytes of data available. The number of files in the index from scanning totaled to 3,030,106. Within these files, there was a significant amount of files with sensitive financial information including card numbers and financial records. Vertical Structure was able to track down the source, a legacy Iomega storage product acquired by EMC and co-branded Lenovo-EMC in a joint venture.

What Was Discovered

Total amount of data indexed

Potentially interesting data found

Web interface for browsing the results

Verifying the Vulnerability

After discovering the compromised Lenovo device, Vertical Structure contacted WhiteHat Security because of its world-renowned reputation in helping secure applications, to work together to verify the vulnerability found.

Verifying vulnerabilities is a very important step in securing applications, networks and devices. After all, on an average day, WhiteHat scanners discover hundreds upon hundreds of new potential vulnerabilities. In order to protect organizations from a constant barrage of false positives, each and every one of the potential vulnerabilities is carefully assessed and verified by WhiteHat’s team of application security engineers at its Threat Research Center (TRC).

Once Vertical Structure contacted WhiteHat, the company did an initial investigation to verify the information found was indeed an issue. After using the combination of WhiteHat’s machine learning-powered scanners and TRC, WhiteHat was able to confirm with Vertical Structure that the vulnerability was valid.

Alerting Lenovo and Remediating the Issue

The next step in Vertical Structure and WhiteHat’s process was alerting Lenovo of the problem.

Once Lenovo confirmed there was an issue, the company quickly took action:

1. In discovering this vulnerability, Lenovo pulled three versions of its software out of retirement and brought them back so their customers could continue to utilize their technologies while they patched the vulnerability

2. Lenovo then pulled old software from version control to investigate any other potential vulnerabilities to fix and release updates

How Organizations Can Learn from Lenovo

Lenovo’s professional approach to vulnerability disclosure offers a good lesson for other organizations who experience similar challenges. Not only did they have a clearly stated vulnerability disclosure policy on their site with contact information, but they responded quickly and worked with WhiteHat and Vertical Structure to understand the nature of the problem and quickly resolve it.

In sharing this story, both WhiteHat and Vertical Structure hope companies are inspired to always keep cybersecurity top of mind to keep up with the constant barrage of new vulnerabilities and exposures.

Further details about the vulnerability and Lenovo's resolution are available at Lenovo's Website

Want to find out more about our security testing?

Contact Us