Western Digital My Cloud NAS Drives Susceptible To Serious Remote Root Exploits
If you have a Western Digital My Cloud device, you might want to perk up and pay attention. Security researchers have discovered that the family of network-attached storage (NAS) drives are susceptible to some rather nasty remote exploits, and they thus far have not been [properly] patched by Western Digital.
The first issue that researcher zenofex discovered is Western Digital’s sloppy use of scripts to authenticate users. The company uses cookies for authentication, but the way the process was implemented allows for an attacker to specially "bake" cookies to meet compliance. “Any time there is a login check within the PHP scripts, an attacker is able to bypass the check by supplying 2 specially crafted cookie values,” writes zenofex.
But here’s the kicker; during his research, zenofex discovered that Western Digital had rolled out a firmware update to resolve this issue. But with that step forward, the company took another step (or two) backwards, with the researcher writing, “This patch introduced a new vulnerability which had the same consequences as the original.” Sheesh!
Other issues found include command injection bugs and one rather curious flaw that would allow a user that hasn’t been authenticated to upload files onto a My Cloud NAS. “Our general goal at Exploitee.rs is to get bugs fixed as quickly as possible,” writes zenofex. “However, the large number of severe findings means that we may need to re-evaluate the product after the vendor has properly fixed the released vulnerabilities.”
The above exploits were discovered on a My Cloud PR4100, but should be applicable to the entire My Cloud family. We should also note that it’s typically prudent for a researcher to reveal security flaws first to a product’s vendor, and give them a reasonable amount of time to release a fix to the public. However, Exploitee.rs decided to essentially pull Western Digital’s underwear down in public due to its history of foot-dragging when exploits are brought to its attention.
Zenofex states that after learning Western Digital received a “Pwnie for Lamest Vendor Response” at BlackHat Vegas due to its decision to completely ignore a number of severe bugs that were reported, Exploitee.rs decided to air all of Western Digital’s dirty laundry to the public immediately. “Through this process, we’re fully disclosing all of our research and hoping that this expedites the patches to users’ devices,” adds zenofex.
The ball is now in your court, Western Digital.