Western Digital fixes remote execution bug in My Cloud Mirror
Cloudy storage kit needs firmware patch, will anybody notice?
Western Digital has issued a fix for its My Cloud Mirror backup disks, after ESET "detection engineer" Kacper Szurek found an authentication bypass with remote code execution in the system.
My Cloud Mirror is a backup hard drive product sold with personal cloud storage, which means the hardware might be left Internet-visible.
Szurek writes that the login form wasn't protected against command injection.
exec() function is used without using
“So we can create string which looks like this:
wto -n "a" || other_command || "" -g which means that
other_command will be executed.”
There's a bunch of other bugs in the My Cloud Mirror 2.11.153 firmware, Szurek writes, mostly relating to parameters that aren't escaped.
The affected files in the firmware include index.php, chk_vv_sharename.php, modUserName.php, upload.php, and a gem in login_checker.php.
lib/login_checker.php there is
login_check() function which is used to check if user is logged, but it’s possible to bypass this function because it simply checks if
Western Digital fixed the issues in release 2.11.157 in late December – so make sure your box has updated itself. ®