According to a recent report Network Attached Storage (NAS) market is touted to grow from $23.2 in 2020 billion to $48 billion.
That’s hardly a surprising forecast. With the pandemic restricting people from leaving their homes, most people are using enterprise data storage systems, VPNs, remote conferencing tools, BI, etc. to work remotely. And without a vaccine in place we are looking at an extended period of remote working.
While Enterprise data storage systems are great to work with they are also sitting ducks for threat attacks.
In our recent report series ‘Cyber Risk in Enterprise Database’ we examined popular enterprise data storage applications for vulnerabilities and found that there were many vulnerabilities that have potentially become weaponized and the prognosis is not good.
If this technology is going to be used widely in the next few years, then it is important that critical vulnerabilities that exist in these products be fixed.
Key Findings
The report puts popular Enterprise Data Storage Systems under the lens and delves deep into their vulnerabilities.
- 108 CVEs are weaponized
- 56 CVEs have RCE and Privilege Execution
- 3 CVEs are associated with Ransomware Ryuk
- Scanners such as Nessus, Nexpose, Qualys have missed 41, 43, and 30 vulnerabilities, respectively.
Vulnerabilities in Enterprise Data Storage Systems
We analyzed over 741 vulnerabilities in total and found 108 CVEs have been weaponized. Out of these, 56 CVEs are associated with RCE (Remote Code Execution), and 3 are connected to Ransomware.
Weaponization of Vulnerabilities
Among the popular vendors that went under our microscope, our findings reveal the following –
- Netapp and Synology have the maximum number of vulnerabilities that are yet to weaponized
- Zyxel (28) has the maximum number of weaponized vulnerabilities followed by Synology (21).
Critical vulnerabilities
There are 121 critical vulnerabilities in total and among them, Zyxel (18) has the highest number of critical vulnerabilities, followed by NEC (17) and Qnap (14).
We analyzed the weaponization trends for the past decade and found that weaponization rates have been increasing since the year 2015 and it spiked in 2017 and 2018.
If there is going to be a spike in the usage of Enterprise Data Storage systems, then these vulnerabilities need to be fixed immediately.
Count of vulnerabilities missed by popular scanners
Nessus | Nexpose | Qualys | |
Asustor | 3 | 3 | 1 |
Commvault | 0 | 2 | 2 |
Drobo | 1 | 1 | 0 |
EMC | 1 | 1 | 1 |
HP | 1 | 1 | 1 |
QNAP | 9 | 9 | 3 |
Seagate | 6 | 6 | 4 |
Synology | 8 | 8 | 7 |
XEN | 1 | 1 | 1 |
Yamaha | 1 | 1 | 1 |
Zyxel | 10 | 10 | 9 |
Total | 41 | 43 | 30 |
CVE-2019-6110 in Vmware, a server vulnerability that was used in Ryuk Ransomware attacks in the past, CVE-2018-20685, and CVE-2019-6109 in Western Digital also associated with the same ransomware have not been detected by these scanners. These vulnerabilities need to be fixed immediately before they are exploited in the wild.
Download the whitepaper Cyber Risk in Enterprise Data Storage