UPDATE
Western Digital’s My Cloud EX2 storage devices leak files to anyone on a local network by default, no matter the permissions set by users. If configured for remote access via the public internet, the My Cloud EX2 also leaks files via an HTTP request on port 9000, according to researchers at Trustwave who first identified the leaky port.
On Wednesday, Trustwave released its findings, warning, “unfortunately the default configuration of a new My Cloud EX2 drive allows any unauthenticated local network user to grab any files from the device using HTTP requests.”
Researchers said the leak is due to the device’s UPnP media server that is automatically started when the device is powered on. “By default, unauthenticated users can grab any files from the device completely bypassing any permissions or restrictions set by the owner or administrator,” wrote Martin Rakhmanov, security research manager at Trustwave in a technical analysis of the My Cloud EX2.
Researchers said that when they disclosed to Western Digital their research the company said the insecure default settings did not warrant a fix. Instead, WD only recommends users turn off DLNA “if they do not wish to utilize the product feature.”
“You don’t have to be authenticated. You don’t have to get the credentials ahead of time. If My Cloud is on a closed network or happens to be on the open internet (and the vulnerable port 9000 is open) then an attacker anywhere can access every single file on the appliance,” Karl Sigler, threat intelligence manager at Trustwave SpiderLabs, told Threatpost in an interview.
Western Digital told Threatpost that the DLNA feature is used in conjunction with users’ media players on smartphones and TVs.
“My Cloud systems come with Twonky Server. Twonky Server allows access to My Cloud users within the local network without password protection, which is common with DLNA server software. Western Digital recommends that users save their content they want protected with a password in shares for which DLNA capabilities are disabled; or disable Twonky server for the entire system, which would disable only DLNA media server capabilities,” a spokesperson said.
The spokesperson said that DLNA is enabled by default on all My Cloud and My Cloud Mirror products. And that DLNA is disabled on other My Cloud Pro Series and Expert Series products by default.
WD said that only files that reside in a “share” for which DLNA is enabled are accessible without password protection and only to users on the local network.
The spokesperson did not address Trustwave’s larger concerns regarding outsider unauthenticated access to files with user and access restrictions.
“If you’re going to provide a NAS that actually provides authentication and access controls for users it just doesn’t make sense from a security perspective to implement this type of wonky DLNA component,” Sigler said.
Proof-of-Concept Attack
Sigler said the Trustwave proof-of-concept attack involves an adversary issuing an HTTP request to port 9000 asking for the “TMSContentDirectory/Control” resource. “The request should contain XML with Browse action in it,” Sigler said. The UPnP server will respond with a list of files on the device. Next, the attacker uses subsequent HTTP requests to fetch actual files from the device using URLs from the response collected, he said.
“It doesn’t matter that you can set permissions and credentials on the My Cloud EX2 to make sure that your children’s photos are locked down and only available to somebody that’s actually authenticated with the device. By knowing how the traffic works with the My Cloud (EX2) appliance, you can actually get it to feed you any file on the device, regardless of the permissions. That is something new specific to this device.”
WD is no stranger to vulnerabilities found in its NAS products. The company has patched several critical security bugs in its My Cloud network storage devices, the most serious of which allowing remote attackers to gain unrestricted root access to the device.
In January, researchers at GulfTech found a backdoor vulnerability that allowed remote attackers to send a post request to a vulnerable WD NAS, enabling them to upload an arbitrary file to the server running on the vulnerable storage devices. GulfTech also discovered a backdoor that included the device’s hardcoded admin credentials. Other flaws found by Trustwave, Trendmicro and others have included cross-site request forgery, command injection, denial of service, and information disclosure.
Trustwave said they found the vulnerability on January 26. It recommends turning off DLNA to protect user data.
(This article was updated on 4/26/2018 at 10:30 am ET with a comment from Western Digital)