Unpatched Western Digital Bugs Leave NAS Boxes Open to Attack

Western Digital NAS owners were warned of critical flaws in the company’s My Cloud line of hardware that opened up data stored on those devices to attack.

Western Digital Corporation network-attached storage owners were warned of critical flaws in the company’s My Cloud line of hardware that exposed data stored on the devices to attack. The flaws impact a dozen Western Digital drives that could allow remote adversaries to bypass logins, insert commands, upload files without permission, and gain control of devices.

“This is a serious vulnerability, as the chances for the device to be fully compromised is very high,” said SEC Consult Vulnerability Lab (SCVL) on Tuesday. As of this writing, Western Digital has not provided any information regarding the vulnerabilities or supplied software updates to fix the reported bugs.

SCVL researchers notified Western Digital of the vulnerabilities on Jan. 18, 2016 and publicly disclosed the flaw Tuesday. Additionally, security firm Exploitee.rs simultaneously identified the flaws and publicly disclosed the bugs over the weekend.

The vulnerabilities were discovered on Western Digital’s My Cloud PR4100 NAS device. However, the flaws are also present across WD’s portfolio of MyCloud NAS devices such as: DL4100, EX4, EX2 Ultra and PR2100. A full list of impacted products is available online.

Researchers say a group of vulnerabilities that when used in tandem create conditions that could allow an attacker to fully compromise the hardware. “In the worst case, one could steal sensitive data stored on the device or use it as a jump host for further internal attacks,” according to SCVL  in an advisory.

The vulnerabilities include command injection vulnerabilities, a stack-based buffer overflow bug and a cross-site request forgery flaw.

“The (cross-site request forgery flaw) can be combined with a command injection vulnerability to gain complete control (root access) of the affected device,” according to SCVL.

In a statement to Threatpost, Western Digital said it was undertaking a “preliminary evaluation” of the vulnerability reports.

“Based on a preliminary evaluation, a change to address one Exploitee.rs reported issue has already been made in the December update. Additionally, if we determine the report has identified any new issues, we will address those soon based on the severity of the issues, the existence, if any, of ongoing attacks, and the potential customer disruption of an unscheduled update. We recommend My Cloud users contact our Customer Service team if they have further questions; find firmware updates; and ensure their My Cloud devices are set to enable automatic firmware updates,” it wrote.

In December, researcher Steve Campbell first identified two command injection vulnerabilities in Western Digital MyCloud NAS (CVE-2016-10107 & CVE-2016-10108). Western Digital patched those vulnerabilities December 20, 2016, but according to Exploitee.rs the patches were flawed.

“This patch introduced a new vulnerability which had the same consequences as the original (prior to the update),” it wrote in a post outlining its research.

Exploitee.rs community researcher Zenofex said the bug was identified when the cryptographic network protocol Secure Shell (SSH) access was enabled.

“I quickly found the first bug that shocked me, this bug was based on code that performed a user login check but did so using cookies or PHP session variables. Using cookies for authentication isn’t necessarily a bad thing, but the way that the Western Digital MyCloud interface uses them is the problem,” Zenofex wrote. “Any time there is a login check within the PHP scripts, an attacker is able to bypass the check by supplying two specially crafted cookie values.”

In all, Zenofex said he found 85 security issues tied to Western Digital’s My Cloud line of hardware, outlining them on an Exploitee.rs wiki.

In an email-based interview, Campbell noted, “The Exploitee.rs site where those 85 vulnerabilities were recently posted went further by logging into the device via ssh and looking at the application code. In retrospect I wish I had done that as well.”

Given the number of vulnerabilities in this device, I’m not surprised at the number of other researchers submitted identical bugs,” Zenofex said. Zenofex’s list of bugs include one login bypass, an arbitrary file write, 13 unauthenticated remote command execution bugs and 70 authentication required command execution bugs.

Suggested articles