[SingCERT] Alert on Western Digital NAS Drive Vulnerabilities

Published on Tuesday, 09 January 2018 21:43

Background

Western Digital's My Cloud (WDMyCloud) is a popular Network-Attached Storage (NAS) drive used by individuals and businesses to host files, automatically backup and sync with various cloud and web-based services. The drive lets users not only share files in a home network, but the private cloud feature also allows them to access their data from anywhere at any time.

On 3 January 2018, a security researcher disclosed several vulnerabilities and a secret hardcoded backdoor in WDMyCloud NAS drives that could allow remote attackers gain unrestricted root access to the drive. Three vulnerabilities have been discovered. They are:
  1. Unrestricted file upload
    This vulnerability allows a remote attacker to upload an arbitrary file to the server running on the vulnerable internet-connected storage devices.

  2. Hardcoded backdoor account
    An attacker can log into WDMyCloud NAS drives with admin username “mydlinkBRionyg” and password “abc12345cba”. With these credentials, anyone can use this backdoor account to access the buggy code which is vulnerable to command injection and spawn a root shell.

  3. Cross-Site Request Forgery (CSRF)
    A CSRF bug can be exploited for executing commands on the drive to reset the drive’s backend panel interface language. Command injection issues within the drive, combined with the CSRF vulnerability, can enable an attacker to gain complete control (root access) of the affected drive.
Affected Products

  • MyCloud
  • MyCloudMirror
  • My Cloud Gen 2
  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud EX2 Ultra
  • My Cloud EX2
  • My Cloud EX4
  • My Cloud EX2100
  • My Cloud EX4100
  • My Cloud DL2100
  • My Cloud DL4100
Impact
 
A successful exploit could allow attackers to take full control of the drives and access all information stored on the drive.
 
Recommendations
 
Users are advised to update their affected drives to firmware version 2.30.174 or later.
 
References
 
https://www.bleepingcomputer.com/news/security/backdoor-account-removed-from-western-digital-nas-hard-drives/
 
https://www.theregister.co.uk/2018/01/08/wd_mycloud_nas_backdoor/

https://thehackernews.com/2018/01/western-digital-mycloud.html