WD My Cloud NAS devices can be hijacked by attackers

Researchers with security consultancy VerSprite have unearthed several vulnerabilities in Western Digital’s My Cloud NAS product, which can be exploited by local and remote attackers to achieve root access to the device.

WD My Cloud is meant to be a private cloud environment hosted at home or at a small organization’s office, and can be accessed either from a desktop located on the same network or remotely, with a smartphone, from wherever else in the world. Users can interact with it either via the administrative user interface or an application (that uses a RESTful API).

The flaws that the researchers found affect firmware versions 04.01.03-421 and 04.01.04-422, and possibly earlier versions. Western Digital is currently working on firmware updates that will plug those holes.

The first vulnerability permits remote command injection.

“When the device administrator configures the product he can add users to the device, configure their folder permissions, and grant or restrict remote access to the device and the files they are authorized to access,” the researchers explained.

“Remote access is typically done through the client application, which is available for Windows, Mac, Android, and iPhone. This client application is just a GUI front-end for the RESTful API mentioned before. VerSprite found that any authorized remote user of the device can remotely execute commands and steal files belonging to other users regardless of their permissions by abusing functionality within the RESTful api and the client applications. Worse yet, the attacking user will have root access to the NAS in a private internal network, so more can be at stake since an attacker can use this to pivot through the network.”

The client app is not the problem, the RESTful API is, as it fails to sanitize file names and attackers can simply include executable commands in them.

The only good news is that the attackers must have authorized access to the device in order to perform the attack. Still, there is a way to effect this attack without having authorized access: the device provides a “Public” folder on the local network, and anyone who has access to it – even via the Internet – can place a file with a malicious executable name in it.

The execution of the command in the file’s name is triggered by an authenticated user navigating to this Public folder.

The second flaw affects the device’s Web app. It does not differentiate between genuine and forged HTTP requests, and this allows attackers to perform cross-site request forgery.

“Combining this with the command injection vulnerabilities, an attacker may have a good chance of remotely gaining access to the device and compromise data,” the researchers said, but noted that attackers should have a valid session cookie and the knowledge of the device’s internal IP address in order to execute the attack.

This means that they have to first carry out a successful social engineering and WebRTC attack to gain that knowledge and the cookie.

Until Western Digital releases the needed firmware updates, users are advised to avoid clicking on links or downloading files from untrusted sources, always verify the authenticity of a login request before submitting credentials, disable WebRTC in their browsers, restrict access to the My Cloud device to only trusted users, disable remote access to the device (if possible), and to place the WD My Cloud device on a separate subnet, and behind a firewall.