Researchers at security firm Securify have discovered an elevation of privilege vulnerability in the Western Digital My Cloud platform that could be exploited by attackers to gain admin-level access to the device via an HTTP request.
The flaw, tracked as CVE-2018-17153, would allow an unauthenticated attacker with network access to the device to authenticate as an admin without providing a password.
The attacker could exploit the flaw to run commands, access the stored data, modify/copy them as well as wipe the NAS.
“It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability that allows an unauthenticated user to create an admin session that is tied to her IP address.” reads the report published by Securify.
“By exploiting this issue an unauthenticated attacker can run commands that would normally require admin privileges and gain complete control of the My Cloud device.”
The vulnerability resides in the process of creation of admin sessions implemented by the My Cloud devices that bound to the user’s IP address.
Once the session is created, it is possible to call the authenticated CGI modules by sending the cookie username=admin in the HTTP request. The CGI will check if a valid session is present and bound to the user’s IP address.
An attacker can send a CGI call to the device including a cookie containing the cookie username=admin.
“It was found that it is possible for an unauthenticated attacker to create a valid session without requiring to authenticate.” continues Securify.
“The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1. Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie.”
The experts published the following PoC code to exploit the issue:
POST /cgi-bin/network_mgr.cgi HTTP/1.1 Host: wdmycloud.local Content-Type: application/x-www-form-urlencoded Cookie: username=admin Content-Length: 23 cmd=cgi_get_ipv6&flag=1
Securify reported the vulnerability to Western Digital in April, but it is still waiting for a response.
In February, experts from Trustwave disclosed two vulnerabilities in Western Digital My Cloud network storage devices that could be exploited by a local attacker to gain root access to the NAS devices.
In April, security experts at Trustwave discovered that Western Digital My Cloud EX2 storage devices were leaking files on a local network by default.
(Security Affairs – Digital My Cloud, hacking)