SITUATION REPORT

Actor Type: II
Serial: SR-18-017-002
Countries: IN, CN
Report Date: 20180111


Critical Vulnerabilities in Western Digital ‘My Cloud’ Storage Devices

Various critical vulnerabilities have been identified in Western Digital’s My Cloud network attached storage (NAS) devices, which attackers could use to gain root access to a device.

Western Digital’s My Cloud NAS, is a personal cloud storage unit that organizes photos and videos.[1]  It is listed on Amazon as a highly rated device and is widely used by individuals and businesses.  WD-NAS allows automatic backup and synching with various cloud based services.  The device permits users to share files in a home network and through a private cloud feature.  Following versions are vulnerable[2]:

  • MyCloud
  • MyCloudMirror
  • My Cloud Gen 2
  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud EX2 Ultra
  • My Cloud EX2
  • My Cloud EX4
  • My Cloud EX2100
  • My Cloud EX4100
  • My Cloud DL2100
  • My Cloud DL4100

The vulnerabilities were discovered by GulfTech research and development team. Following are the vulnerabilities identified in the advisory:

Unrestricted File Upload

This vulnerability allows a remote attacker to upload an arbitrary file to the server running on the internet-connected vulnerable storage devices. Thus, allowing attacker to execute arbitrary code.

The vulnerability exists in the following file: /usr/local/modules/web/pages/jquery/uploader/multi_uploadify.php

The vulnerability exists due to the developer’s wrong implementation of gethostbyaddr() PHP function. This vulnerability can be easily exploited to gain a remote shell as root by sending a post request containing a file to upload using the parameter Filedata[0]. A Metasploit module has also been developed to exploit this vulnerability. It can be found at https://dl.packetstormsecurity.net/1801-exploits/GTSA_wdmycloud_backdoor.rb.txt

Hardcoded Backdoor

The researchers from GulfTech also discovered a backdoor that has the admin username mydlinkBRionyg and password abc12345cba. Anyone can log into My Cloud devices with these credentials. These were hardcoded into the binary and cannot be changed. This backdoor access can also allow malicious attackers to access code that is vulnerable to command injection. It can even allow attacker to spawn a root shell and access restricted data.

Other Vulnerabilities

Other vulnerabilities found in the storage devices include cross site request forgery, command injection, denial of service, and information disclosure

Mitigation

Users should upgrade the firmware to version 2.30.174. Users can download the latest patches from https://support.wdc.com/downloads.aspx

It is also recommended to enable automatic updates on devices. Beyond firmware updates, it is also recommended that users implement strict data protection practices such as regular data backups as well password protection for personal cloud or network-attached storage devices.

Contact the Wapack Labs for more information: 603-606-1246, or feedback@wapacklabs.com.

 

[1] https://www.exploitee.rs/index.php/Western_Digital_MyCloud

[2] http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!