Vulnerability in My cloud devices exposes sensitive information

Western Digital My Cloud authentication bypass vulnerability would allow hackers to access stored content

Researchers from an ethical hacking firm discovered a privilege escalation vulnerability on the Western Digital My Cloud platform, which hackers could leverage to gain admin-level access to the device through a HTTP request. The flaw, identified as CVE-2018-17153, would allow an unauthenticated attacker with network access to the appliance to authenticate himself as an administrator without providing a password.

Hackers could take advantage of the vulnerability to execute commands, access the data stored on the device, modify and copy it, and delete the NAS.

“We found that the My Cloud device is affected by an authentication escalade vulnerability that allows an unauthenticated user to create an administrator session linked to their IP address”, mentions the report published by specialists in ethical hacking. “By exploiting this vulnerability, the unauthenticated attacker can execute commands that would normally require administrator privileges and obtain complete control of the Western Digital device”.

The vulnerability lies in the process of creating admin sessions implemented by My Cloud devices that are linked to the user’s IP address. Once the session is created, the attacker can call the authenticated CGI modules by sending the cookie = admin username in the HTTP request. The CGI will verify if there is a valid session and is linked to the user’s IP address.

An attacker can send a CGI call to the device, including a cookie that contains the cookie username = admin. The investigators even published the code to exploit the vulnerability:

POST /cgi-bin/network_mgr.cgi HTTP/1.1

Host: wdmycloud.local

Content-Type: application/x-www-form-urlencoded

Cookie: username=admin

Content-Length: 23

 

cmd=cgi_get_ipv6&flag=1

“It was discovered that an unauthenticated attacker might create a valid session without having to authenticate himself”, the report continues.

The vulnerability was reported to the company since April, but there is still no official pronouncement by Western Digital.

According to specialists in ethical hacking from the International Institute of Cyber Security, last February were revealed two vulnerabilities in the storage devices Western Digital My Cloud that could be exploited by an attacker to gain root access to NAS devices. Similarly, in April it was discovered that Western Digital My Cloud EX2 storage devices were leaking files on a local network by default.