Western Digital My Cloud NAS devices wide open to attackers

Western Digital My Cloud NAS devices have again been found wanting in the security department, as two set of researchers have revealed a number of serious flaws in the devices’ firmware.

WD My Cloud is meant to be a private cloud environment hosted at home or at a small organization’s office, and can be accessed either from a desktop located on the same network or remotely, with a smartphone, from wherever else in the world. Users can interact with it either via the administrative user interface or an application (that uses a RESTful API).

Vulnerabilities revealed

Zenofex, a member of the Exploitee.rs team, revealed the existence of a login bypass issue, several command injection flaws, and a number of other bugs on Saturday.

Then, on Tuesday, researchers with the SEC Consult Vulnerability Lab published a security advisory warning about:

• The existence of an unauthenticated OS command injection vulnerability
• The existence of an unauthenticated arbitrary file upload flaw (that could allow an attacker to upload a malicious file or script with OS commands into the devices’ webserver), and
• The fact that the devices’ firmware has no anti-CSRF mechanisms.

“Due to [no anti-CSRF mechanisms], an attacker can force a user to execute any action through any script. As the [OS command injection and unauthenticated arbitrary file upload vulnerabilities] do not need authentication, those can
be exploited via CSRF over the Internet as well!”, the researchers noted.

Which Western Digital My Cloud NAS devices and firmware versions are vulnerable?

SEC consult found the flaws in version 2.11.157 of the firmware on a My Cloud EX2 device, but they believe that other My Cloud devices are almost surely vulnerable as well, as the same (or pretty much the same) firmware is used on all of them.

Zenofex did his testing on a My Cloud PR4100 device, but also noted that other My Cloud devices are vulnerable to the same issues.

In the wake of these latest revelations, Securify researchers again pointed to their own research and security advisories from January 2017 dealing with the same or similar vulnerabilities, found on versions 2.21.119 and
2.21.126 of the firmware.

All three groups say that the issues have yet to be fixed by Western Digital. SEC Consult researchers complained about the company slow reaction to their responsable disclosure efforts, while Zenofex noted that the company’s dismal reputation when it comes to patching reported issues. So, he opted for public disclosure, in the hopes that this will push the company to pick up the pace.

“Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure is worked out. Instead we’re attempting to alert the community of the flaws and hoping that users remove their devices from any public facing portions of their networks, limiting access wherever possible,” he noted.

In short, the found flaws can allow local or remote attackers to completely compromise the devices.

“SEC Consult recommends not to attach WD My Cloud to the network until a thorough security review has been performed by security professionals and all identified issues have been resolved,” the researchers noted.