Western Digital My Cloud passwords "easy" to bypass

by Mark Tyson on 21 September 2018, 12:12

Tags: WD (NYSE:WDC)

Quick Link: HEXUS.net/qadxsg

Add to My Vault: x

Please log in to view Printer Friendly Layout

Many HEXUS users are likely to own a Western Digital MyCloud NAS device. These are popular entry-level and up network storage devices but recently an "easy" authentication bypass vulnerability has been unveiled. Keeping their personal/family/business data private will be a major concern for many users of NAS devices, but reportedly WD has done nothing to patch the flaw to which it was alerted over a year ago.

'Welcome' to anyone

After alerting WD to the privilege escalation bug in April 2017, security researcher Remco Vermeulen said that WD stopped responding to his communications. It is common practice for 'white hat hackers' to give companies 90 days to respond but Vermulen went gone way beyond this timescale (260 days) giving WD plenty of chance to respond and patch. He found that WD had issued firmware fixes over the last year, but none of them fixed this easy to exploit remote access flaw. Meanwhile, the bug was independently found by another security team, which released its own exploit code, reports TechCrunch.

The remote access bug is "easy" to exploit, according to Vermulen. If your MyCloud device is set to allow remote access over the internet, an unauthenticated user can create a valid session if the username=admin cookie is set. After that the new user has "complete control" over the user's data via the MyCloud web interface. The reason for this weakness in security is that the web-based dashboard "doesn't properly check a user's credentials before giving a possible attacker access to tools that should require higher levels of access" explains the source report.

Despite apparently ignoring Vermulen, a WD spokesperson responded to TechCrunch's query about this privilege escalation flaw. "We are in the process of finalizing a scheduled firmware update that will resolve the reported issue," said the company official. With regard to timing, the patch will arrive "within a few weeks". WD admitted that My Cloud EX2, EX4 and Mirror products were vulnerable, but not the newer My Cloud Home devices.

If you own one of the affected WD products then Vermeulen recommends that users "just disconnect" the device for now, to be sure to keep their data safe.



HEXUS Forums :: 5 Comments

Login with Forum Account

Don't have an account? Register today!
The UI screenshot contains a public IP address in the address bar.
Lol, it's like takeaway companies that are 10 minutes late and you call them and they say “driver has just left and will be with you shortly!”

Sounds like they had done nothing until it had been publicised, how silly.
It's always disappointing to see when companies take their time on fixing serious security issues like this, when it should be considered essential to rectify as quickly as possible.

But obviously this is the reason that public disclosure exists, to force them into it if it hasn't been done in a reasonable timeframe. The fact that they were given more than three times the standard 90 days, only to still fail to do anything proves the point even more.
mark_a_scott
The UI screenshot contains a public IP address in the address bar.

And the clue is public and if you do a whois - you will find some details - how much use they will be though…
Why would you ever allow remote access IF you care about someone else accessing your data?

tbh any device should come with plain warning - “enabling remote access makes device vulnerable”