Western Digital’s My Cloud Devices Exposed to Critical Vulnerabilities
Security researchers have identified multiple serious vulnerabilities and a hidden hard-coded backdoor in Western Digital’s My Cloud network-attached storage (NAS) devices. These security flaws pose a significant risk, enabling remote attackers to gain unrestricted root access to the devices.
Western Digital’s My Cloud (WDMyCloud) is a widely used solution for personal and business file storage, allowing users to back up and sync data with various cloud-based services. It also features the ability to access files remotely, enhancing usability for individuals needing on-demand data availability. However, the nature of these devices being internet-connectable renders them susceptible to attacks, particularly given the existence of a hardcoded backdoor that jeopardizes user data security.
The GulfTech research team has issued an advisory detailing these vulnerabilities. Their findings revealed a backdoor which could permit attackers to inject commands and access sensitive files without authorization. In June of the previous year, researcher James Bercegay reported these issues to Western Digital, gaining acknowledgment from the vendor who requested a 90-day window before the disclosure of the flaws. However, after nearly six months, the details were publicly revealed on January 3rd, with no patches available.
One of the most pressing concerns relates to an unrestricted file upload vulnerability. This issue stems from a flaw in the “multi_uploadify.php” script due to improper implementation of the gethostbyaddr() PHP function. By exploiting this vulnerability, an attacker could upload malicious files leading to remote command execution as the root user. The researcher has also developed a Metasploit module to exploit this vulnerability, which facilitates uploading a PHP webshell that can subsequently be executed from a specific URI.
Additionally, researchers uncovered a hard-coded backdoor using an administrator username set to “mydlinkBRionyg” and a static password of “abc12345cba,” an oversight leaving devices vulnerable to unauthorized access. This backdoor not only grants access to the device but also exposes the vulnerable code that could be susceptible to command injection attacks. The ease of exploitation underscores the significant danger it poses, even for users secured within a local area network.
Beyond these critical vulnerabilities, several other flaws have been identified. There’s a concerning absence of cross-site request forgery (XSRF) protection in the My Cloud web interface, leaving users open to attacks that could be initiated by simply visiting a compromised website. A 2018 discovery revealed command injection issues, which could be combined with the XSRF vulnerability to give an attacker complete control over the device. Additionally, researchers identified how unauthenticated users could manipulate global language preferences to instigate a Denial of Service condition, disrupting service for legitimate users.
Information disclosure vulnerabilities also exist, allowing attackers to query user lists and detailed information without authentication. Such efforts involve simple HTTP requests that exploit weaknesses in the device’s API.
The vulnerabilities affect all versions of My Cloud firmware version 2.30.165 and earlier, impacting multiple device models, including My Cloud Gen 2, My Cloud PR2100, and others. As noted, the exploitation of these vulnerabilities is enabled by tactics listed in the MITRE ATT&CK framework, particularly around initial access, privilege escalation, and exploitation of vulnerabilities.
Cybersecurity professionals and business owners must remain vigilant regarding these revelations, ensuring that their systems are updated and secure against possible threats. The Metasploit modules linked to these vulnerabilities serve as a reminder of the ongoing need for rigorous security measures and regular updates in an era where such critical issues can lead to dire consequences.