New Western Digital My Cloud Bugs Give Local Attackers Root on NAS Devices

Two new WD My Cloud vulnerabilities have been identified, adding to last month’s bevy of security bugs.

Researchers disclosed two new vulnerabilities in Western Digital My Cloud network storage devices on Thursday that could allow a local attacker to delete files stored on devices or allow them to execute shell commands as root.

Researchers at Trustwave disclosed the vulnerabilities, which come on the heels of disclosure by security firm GulfTech that reported critical vulnerabilities, including a hardcoded backdoor, in 12 Western Digital (WD) My Cloud devices.

The two WD My Cloud vulnerabilities disclosed by Trustwave include an arbitrary command execution flaw and an arbitrary file deletion (via specific parameters) bug. Impacted are the following Western Digital models: My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.

The first (arbitrary command execution) vulnerability is tied to a common gateway interface script called “nas_sharing.cgi” used in the My Cloud firmware that allows any local user to execute shell commands as root on affected devices. The second (arbitrary file deletion) flaw, also related to a common gateway interface script “nas_sharing.cgi”.

“These vulnerabilities are likely not publicly exposed to the internet and would likely be exploited via the local network only,” said Martin Rakhmanov, security research manager at Trustwave SpiderLabs.

“The attacker would likely scan the network and would find the My Cloud device listening on TCP/80. At that point the attacker would have full control of a vulnerable device as well as full access to all data on the device,” he said. “Since these devices are used to centrally store and backup data, it is likely that data there is highly valued by an owner.”

Trustwave worked with WD on disclosing the vulnerabilities. According to researchers, both vulnerabilities are patched with a device firmware (version 2.30.172 ) update, released on Nov. 16, 2017. Confirmation of the patches from Western Digital wasn’t until Jan. 23, 2018.

“While we reached out at various points in time to (Western Digital), they were often non-responsive or asking for more delays when they did respond. When they finally released the patch in November and did not alert us. We found out the firmware was released only after reaching back out to them this month,” Rakhmanov said.

Last month, GulfTech researchers revealed a hardcoded backdoor impacting 12 Western Digital My Cloud network storage devices. According to GulfTech, the Western Digital devices allow remote backdoor admin access via username “mydlinkBRionyg” and password “abc12345cba”.

Trustwave said it also identified the remote backdoor in the same timeframe.

Suggested articles