Security researchers have discovered an authentication bypass vulnerability in Western Digital’s My Cloud NAS devices that potentially allows an unauthenticated attacker to gain admin-level control to the affected devices.
Western Digital’s My Cloud (WD My Cloud) is one of the most popular network-attached storage (NAS) devices which is being used by businesses and individuals to host their files, as well as backup and sync them with various cloud and web-based services.
The WD My Cloud devices let users not only share files in a home network but its private cloud feature also allows them to access their data from anywhere around the world at any time.
However, security researchers at Securify have discovered an authentication bypass vulnerability on the WD My Cloud NAS boxes that could allow unauthenticated attackers with network access to the device to escalate their privileges to admin-level without needing to provide a password.
This would eventually allow attackers to run commands that would typically require administrative privileges and gain complete control of the affected NAS device, including their ability to view, copy, delete and overwrite any files that are stored on the device.
Here’s How Easy it is to Hack a WD My Cloud Storage Boxes
The vulnerability, designated CVE-2018-17153, resides in the way WD My Cloud creates an admin session tied to an IP address.
By simply including the cookie username=admin to an HTTP CGI request send by an attacker to the device’s web interface, the attacker can unlock admin access and gain access to all the content stored on the NAS box.
“It was found that it is possible for an unauthenticated attacker to create a valid session without requiring to authenticate,” the researchers explain in a blog post detailing about the flaw published on Tuesday.
“The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1. Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie.”
Long story short, just tell the WD My Cloud NAS device that you are the admin user in the cookie, and you are in without ever being asked for a password.
Proof-of-Concept Exploit Code Released
Securify researchers have also published a proof-of-concept (PoC) exploit showing how the vulnerability can be exploited with just a few lines of code.
Obviously, the exploit requires either a local network or internet connection to a WD My Cloud device in order to be run the command and bypasses the NAS device’s usual login requirements.
The researchers successfully verified the vulnerability on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.30.172, though they claimed that this issue is not limited to the model, as most products in the My Cloud series share the same “vulnerable” code.
Securify researchers found the issue while reverse engineering the CGI binaries to look for security bugs, and reported it to Western Digital in April 2017, but did not receive any response from the company.
After almost one-and-half years of silence from Western Digital, researchers finally publicly disclosed the vulnerability, which is still unpatched.
This is not the first time Western Digital has ignored the security of its My Cloud NAS device users.
Earlier this year, a researcher publicly disclosed several vulnerabilities in Western Digital’s My Cloud NAS devices, including a hard-coded password backdoor issue in their firmware after the company did not address the issue, which was reported 180 days before making it public.