Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

On-Prem

Storage

WD My Cloud NAS devices have hard-wired backdoor

This is serious: some of the messed-up machines can host VMs and databases

Richard Chirgwin Mon 8 Jan 2018  //  00:58 UTC

UPDATE If you have a Western Digital My Cloud network attached storage device, it's time to learn how to update its OS because researcher James Bercegay has discovered a dozen models possess a hard-coded backdoor.

The backdoor, detailed here, lets anyone log in as user mydlinkBRionyg with the password abc12345cba.

WD mostly markets the My Cloud range as suited for file sharing and backup in domestic settings. But several of the models with the backdoor are four-disk machines suitable for use as shared storage in small business and also capable of being configured as iSCSI targets for use supporting virtual servers. Throw in the fact that some of the messed-up machines can reach 40TB capacity and there's the very real prospect that sizeable databases are dangling online.

Observant readers will have spotted that the username includes the string "dlink". D-Link, the company, also makes network attached storage (NAS) devices and Bercegay wrote that he found “references to file names and directory structure that were fairly unique, and from the D-link device. But, they also perfectly matched my WDMyCloud device”.

It became “pretty clear to me as the D-Link DNS-320L had the same exact hard coded backdoor and same exact file upload vulnerability that was present within the WDMyCloud. So, it seems that the WDMyCloud software shares a large amount of the D-Link DNS-320L code, backdoor and all.”

D-Link, he said, patched the DNS-320L in July 2014 (firmware version 1.0.6). Western Digital users can remove the backdoor by installing version 2.30.174 of their firmware.

This sort of thing isn't unusual in the small NAS world: Cisco's efforts were made by QNAP, while other OEMs aim to secure re-badging deals.

MyCloud versions that need patching include MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100. Products on firmware version 4.x aren't affected.

The file upload bug Bercegay mentions is in the multi_uploadify.php function.

An error in the handling of the gethostbyaddr() function lets an attacker “send a post request that contains a file to upload using the parameter 'Filedata[0]', a location for the file to be upload to which is specified within the 'folder' parameter, and of course a bogus 'Host' header.”

An attacker can upload a PHP Web shell to the target, ask for the URI pointing to the backdoor, and trigger the payload. ®

UPDATE, January 15th: WD has posted a fix, here. ®
Send us news
52 Comments

Japan stumps up more cash for Kioxia and Western Digital to make memory chips

Pair still looking to merge after SK hynix blocked deal

SK hynix puts the boot into Kioxia-Western Digital merger

'The company is not agreeing to the deal at this time'

Western Digital sued over claims of data-trashing SanDisk, My Passport SSDs

Drives are anything but solid, allegedly

Update now: Google emits emergency fix for zero-day Chrome vulnerability

Also: Tech players spin up white hat protection, this week's critical bugs, and more

Western Digital: Customer info stolen in <em>that</em> IT attack

Hard times for buyers of these hard drives

Western Digital confirms digital burglary, calls the cops

Thinks info from internal systems 'obtained' by miscreant, unsure of nature or scope data

Western Digital open to spinning out flash, hard disk businesses

Messrs Elliott strike again

Elliott Management to WDC board: Spin out or sell flash biz

HDD and NAND memory maker has 'underperformed by any objective measure'