According to research conducted by information security professionals at Trustwave, Western Digital’s My Cloud EX2 storage devices filter files to anyone in a local network by default, this is regardless of the permissions set by users. If configured for remote access through the public Internet, My Cloud EX2 will also be able to filter files through an HTTP request on port 9000.
This week, Trustwave released its findings and warned: “Unfortunately, the default configuration of a new My Cloud EX2 unit allows any unauthenticated local network user to take any file through HTTP requests.”
This file leak is due to the UPnP media server on the device that automatically starts when the device is turned on, the researchers said. “By default, unauthenticated users can take any file from the device while avoiding the permissions or restrictions set by the administrator,” wrote Martin Rakhmanov, manager of security research at Trustwave in an analysis of My Cloud EX2.
The information security professionals also said that when they revealed their research to Western Digital, the company said that the insecure default configuration did not guarantee a solution. For its part, WD only recommends users to turn off DLNA “if they do not want to use the feature of the product.”
“You do not have to be authenticated, you do not have to get the credentials early, if My Cloud is on a closed network or is on the open Internet, an attacker can access all the files on the device,” said Karl Sigler, manager Trustwave threat intelligence.
Western Digital said the DLNA function is used in conjunction with the media players of the users on smartphones and televisions. “My Cloud systems come with Twonky Server, which allows access to My Cloud users within the local network without password protection, which is common with DLNA server software.” Western Digital recommends that users save content that they want to protect with a password in shared resources for which the DLNA capabilities are disabled, or disable the Twonky server for the entire system, which would disable only the capabilities of the DLNA media server, “said a spokesperson.
The spokesperson also said that DLNA is enabled by default in all My Cloud and My Cloud Mirror products. He also said that DLNA is disabled in other My Cloud Pro Series and Expert Series products by default.
WD commented that you can only access the files that reside in a “shared resource” for which DLNA is enabled without password protection and only to the users of the local network.
“If you are going to provide a NAS that really provides authentication and access controls for users, from a security perspective it makes no sense to implement this type of wonky DLNA component,” says Sigler.
Concept test attack
In addition, Sigler said the Trustwave proof-of-concept attack involves an adversary that issues an HTTP request to port 9000 requesting the “TMSContentDirectory / Control” resource. “The request must contain XML with the Explore action in it,” said Sigler. The UPnP server will respond with a list of files on the device. Then, the attacker uses subsequent HTTP requests to retrieve the files on the device using the URLs of the collected response.
“It does not matter if you can set permissions and credentials in My Cloud EX2 to make sure that the photos are blocked and only available to someone who is authenticated with the device.” Knowing how traffic works with the My Cloud (EX2) device, you can get it to supply any file on the device, also the permissions, that’s something specific for this device. ”
Western Digital is no stranger to vulnerabilities in its NAS products. Information security analysts said the company has patched several critical security bugs in its My Cloud network storage devices, the most serious of which allows remote attackers to gain root access without restrictions to the device.
In this year, GulfTech researchers found a backdoor vulnerability that allowed remote attackers to send a subsequent request to a vulnerable WD NAS, which allowed an arbitrary file to load on the server running on vulnerable storage devices. The experts also found a backdoor that included the coded administrator credentials of the device. Trustwave also found other flaws; Trendmicro and others have included the falsification of requests between sites, the injection of commands, the denial of service and the disclosure of information. Information security professionals recommend disabling DLNA to protect user data.