Western Digital My Cloud NAS Devices Vulnerable to Authentication Bypass Attack
Security researchers have identified a serious vulnerability affecting Western Digital’s My Cloud Network-Attached Storage (NAS) devices, allowing unauthenticated attackers to gain administrative access. This flaw, which has been publicly disclosed by researchers at Securify, poses a significant risk, especially for businesses and individuals using these devices for storing and backing up sensitive data.
Western Digital’s My Cloud series is widely utilized for hosting files, enabling data sharing within home networks, and allowing users to access their information remotely. The devices’ private cloud feature is particularly appealing to those who require flexibility in data management. However, researchers discovered that this ease of access comes with an associated security risk. An authentication bypass vulnerability has been introduced, designated CVE-2018-17153, which allows attackers to escalate privileges to admin levels without the need for any passwords.
The vulnerability emerges from how the My Cloud devices establish admin sessions linked to a user’s IP address. By submitting an HTTP CGI request containing a cookie with the username set to “admin,” an attacker can exploit this flaw to obtain full administrative access to the device. This means the attacker could execute commands typically restricted to administrators, with the potential to view, copy, delete, or overwrite files stored on the NAS.
In an alarming finding, the researchers indicated that a valid admin session could be initiated solely by impersonating the admin user through cookie settings, with no authentication required. This represents a significant security gap that could be exploited in various environments.
Securify has provided proof-of-concept (PoC) exploit code, demonstrating how straightforward it is to execute this vulnerability. Running the exploit necessitates either a local network presence or internet connection to the My Cloud device, providing a window for attackers to bypass standard authentication processes.
The researchers were able to verify the vulnerability on a specific My Cloud model running firmware version 2.30.172, though they emphasized that other models within the My Cloud line are similarly affected due to shared vulnerable code. This discovery was made during a reverse-engineering process aimed at identifying security weaknesses, with reports submitted to Western Digital as early as April 2017, yet no response was received. After more than 18 months of inaction from the company, the vulnerability was ultimately disclosed publicly.
This is not an isolated incident for Western Digital. Earlier in 2018, a researcher highlighted a separate hard-coded password backdoor issue in the My Cloud device firmware, further underscoring ongoing security concerns surrounding these products.
In a recent update, Western Digital acknowledged the vulnerabilities reported by researchers and stated they are finalizing a firmware update to resolve the issue. The company has indicated that this update is expected to be available on their technical support website soon.
In terms of potential attacker tactics, methodologies from the MITRE ATT&CK framework that could apply include initial access through exploitation of a vulnerability, privilege escalation to gain higher access levels, and persistence, as the flaw may allow attackers to maintain access to the system even after an initial breach. As the cybersecurity landscape broadens with rapid technological advancements, businesses relying on storage solutions must prioritize regular updates and monitor for emerging threats to protect sensitive data effectively.