Western digital my cloud passwords vulnerability discovered

Western Digital My Cloud with security issues

This vulnerability was successfully verified on a Western Digital My Cloud WDBCTL0020HWT model running firmware version 2.30.172. This problem is not limited to a single model, since most of the My Cloud series products share the same code, and therefore the same security problem.

Western Digital My Cloud is a low-cost, network-attached storage device. It was recently discovered that a user with some knowledge could easily log in via the web and create an administration session that is linked to an IP address. By exploiting this problem, an unauthenticated attacker can execute commands that would normally require administrator privileges and gain full control of the My Cloud device. The problem was discovered while reverse engineering CGI binaries to look for security issues.

The details

Every time an administrator authenticates, a server-side session is created that is tied to the user's IP address. Once the session is created, it is possible to call the authenticated CGI modules by sending the username = admin cookie in the HTTP request. The invoked CGI will check if a valid session is present and linked to the user's IP address.

It was discovered that an unauthenticated attacker may create a valid session without having to log in. The CGI module network_mgr.cgi contains a command called cgi_get_ipv6 that starts an administration session that is bound to the IP address of the requesting user when invoked with the parameter flag equal to 1. The subsequent invocation of commands that would normally require Administrator privileges would now be authorized if an attacker sets the username = admin cookie, which would be a piece of cake for any hacker.

At the moment, the problem has not been solved, pending a firmware update from Western Digital.

Guru3D Font

Table of contents:

Western Digital My Cloud with security issues

The details

Editor's choice