WD My Cloud NAS devices have hard-wired backdoor

UPDATE If you have a Western Digital My Cloud network attached storage device, it's time to learn how to update its OS because researcher James Bercegay has discovered a dozen models possess a hard-coded backdoor.

The backdoor, detailed here, lets anyone log in as user mydlinkBRionyg with the password abc12345cba.

WD mostly markets the My Cloud range as suited for file sharing and backup in domestic settings. But several of the models with the backdoor are four-disk machines suitable for use as shared storage in small business and also capable of being configured as iSCSI targets for use supporting virtual servers. Throw in the fact that some of the messed-up machines can reach 40TB capacity and there's the very real prospect that sizeable databases are dangling online.

Observant readers will have spotted that the username includes the string "dlink". D-Link, the company, also makes network attached storage (NAS) devices and Bercegay wrote that he found “references to file names and directory structure that were fairly unique, and from the D-link device. But, they also perfectly matched my WDMyCloud device”.

It became “pretty clear to me as the D-Link DNS-320L had the same exact hard coded backdoor and same exact file upload vulnerability that was present within the WDMyCloud. So, it seems that the WDMyCloud software shares a large amount of the D-Link DNS-320L code, backdoor and all.”

D-Link, he said, patched the DNS-320L in July 2014 (firmware version 1.0.6). Western Digital users can remove the backdoor by installing version 2.30.174 of their firmware.

This sort of thing isn't unusual in the small NAS world: Cisco's efforts were made by QNAP, while other OEMs aim to secure re-badging deals.

MyCloud versions that need patching include MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100. Products on firmware version 4.x aren't affected.

The file upload bug Bercegay mentions is in the multi_uploadify.php function.

An error in the handling of the gethostbyaddr() function lets an attacker “send a post request that contains a file to upload using the parameter 'Filedata[0]', a location for the file to be upload to which is specified within the 'folder' parameter, and of course a bogus 'Host' header.”

An attacker can upload a PHP Web shell to the target, ask for the URI pointing to the backdoor, and trigger the payload. ®

UPDATE, January 15th: WD has posted a fix, here. ®