Security experts at Trustwave have discovered that Western Digital My Cloud EX2 storage devices leak files on a local network by default. The situation gets worse if users configure the device for remote access and expose them online, in this scenario the My Cloud EX2 storage devices also leak files via an HTTP request on port 9000.
“unfortunately the default configuration of a new My Cloud EX2 drive allows any unauthenticated local network user to grab any files from the device using HTTP requests,” states the security advisory published by Trustwave.
“It is possible to access files on the storage even when Public shares are disabled. Specifically, anyone can issue HTTP requests to TMSContentDirectory/Control on port 9000 passing various actions. The Browse action returns XML with URLs to individual files on the device”
According to the experts, the problem tied the embedded UPnP media server that is automatically started when the device is powered on.
“By default, unauthenticated users can grab any files from the device completely bypassing any permissions or restrictions set by the owner or administrator,” continues Trustwave.
Trustwave revealed they found the vulnerability on January 26.
Trustwave reported the vulnerabilities to Western Digital that initially downplayed them, and only recommended users to disable the DLNA.
Trustwave published a Proof-of-Concept code for the vulnerabilities, the attack scenario sees the attackers issuing an HTTP request to port 9000 asking for the “TMSContentDirectory/Control” resource, the UPnP server, in turn, will respond with a list of files on the storage. Then the attacker uses subsequent HTTP requests to fetch files from the storage using URLs from the response collected.
“It doesn’t matter that you can set permissions and credentials on the My Cloud EX2 to make sure that your children’s photos are locked down and only available to somebody that’s actually authenticated with the device. By knowing how the traffic works with the My Cloud (EX2) appliance, you can actually get it to feed you any file on the device, regardless of the permissions. That is something new specific to this device.” continues Trustwave.
In February, researchers at Trustwave disclosed other two vulnerabilities in Western Digital My Cloud network storage devices could be exploited by a local attacker to gain root access to the NAS devices.
Trustwave recommends turning off DLNA to protect user data.
(Security Affairs – Western Digital MY CLOUD EX2, data leak)