'I am admin' bug turns WD's My Cloud boxes into Everyone's Cloud

Western Digital NAS machines vulnerable to hijacking via HTTP cookies

Miscreants can potentially gain admin-level control over Western Digital's My Cloud gear via an HTTP request over the network or internet.

Researchers at infosec shop Securify revealed today the vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass password checks and login with admin privileges.

This would, in turn, give the scumbag full control over the NAS device, including the ability to view and copy all stored data as well as overwrite and erase contents. If the box is accessible from the public internet, it could be remotely pwned, it appears. Alternatively, malware on a PC on the local network could search for and find a vulnerable My Cloud machine, and compromise it.

According to Securify, the flaw itself lies in the way My Cloud creates admin sessions that are attached to an IP address. When an attacker sends a command to the device's web interface, as an HTTP CGI request, they can also include the cookie username=admin – which unlocks admin access.

Thus if properly constructed, the request would establish an admin login session to the device without ever asking for a password. In other words, just tell it you're the admin user in the cookie, and you're in.

"The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1," Securify explained. "Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie."

The team has posted a proof-of-concept exploit showing how the bug could be targeted with a few lines of code.

POST /cgi-bin/network_mgr.cgi HTTP/1.1
Host: wdmycloud.local
Content-Type: application/x-www-form-urlencoded
Cookie: username=admin
Content-Length: 23

cmd=cgi_get_ipv6&flag=1

Securify said it reported the vulnerability to Western Digital back in April, but did not receive a response. Now, some five months later, they are finally disclosing the bug.

Western Digital did not return a Reg request for comment on the matter.

This isn't the first time Western Digital was taken to task for lax security on the My Cloud storage line. In January, the company had to scramble out a fix after a researcher discovered a number of My Cloud devices had a hard-coded password left in their firmware. ®

Updated to add

Western Digital has developed a security fix for the issue – and it's available now as a user-installable hot fix, and will be pushed over the air to devices.




Biting the hand that feeds IT © 1998–2018