WD MyCloud device

A security researcher is urging owners of Western Digital MyCloud NAS devices to update the firmware of their portable hard-drives to fix a series of important security bugs he reported to the vendor, among which there is an easy exploitable and wormable hardcoded (backdoor) account.

James Bercegay, a security researcher with GulfTech Research and Development, discovered and reported these flaws to Western Digital in June 2017.

The researcher published a detailed report last Wednesday after Western Digital released firmware updates.

RCE, backdoor, and an CSRF

The expansive report describes three main flaws that can be abused for different results. A short summary of all the flaws is available below, but for more detailed analysis of each vulnerability readers should refer to Bercegay's bug report:

1) Unrestricted file upload - A PHP file found on the WD MyCloud's  built-in web server allows an attacker to upload files on the device. Bercegay says he used this flaw to upload web shells on the device, which in turn granted him control over the device.
2) Hardcoded backdoor account - An attacker can log into vulnerable WD MyCloud NAS devices using the username "mydlinkBRionyg" and the password "abc12345cba". Bercegay says the backdoor doesn't give attackers admin access, but he was able to exploit another flaw and get root permissions for the backdoor account.
3) CSRF (Cross-Site Request Forgery) - A CSRF bug that can be exploited for executing rogue commands on the device and for playing stupid pranks by resetting the device's backend panel interface language.

Flaws are wormable and can impact private NAS devices

Of all flaws, Bercegay said the hardcoded backdoor account was the bigger issue because attackers could also attack devices isolated in local networks, not just NAS devices connected to the Internet.

"The triviality of exploiting this issues makes it very dangerous, and even wormable," the researcher says. "Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc."

The researcher provides an example exploit. The code below is for an image that when loaded on the computer of a WD NAS device owner will format his MyCloud device. Because the code can be hidden inside an ad or in a one-pixel iframe, the user won't even notice it when loaded on a page.

< img src="http://wdmycloud/cgi-bin/nas_sharing.cgi?dbg=1&cmd=51&user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&start=1&count=1;rm+-rf+/;" >

Firmware out for affected devices

Bercegay says Western Digital released firmware version 2.30.174 that removes the backdoor account and patches the reported flaws. The following WD MyCloud devices are using vulnerable firmware versions, according to Bercegay's report:

Vulnerable:
               MyCloud
               MyCloudMirror
               My Cloud Gen 2
               My Cloud PR2100
               My Cloud PR4100
               My Cloud EX2 Ultra
               My Cloud EX2
               My Cloud EX4
               My Cloud EX2100
               My Cloud EX4100
               My Cloud DL2100
               My Cloud DL4100

Not Vulnerable:
               MyCloud 04.X Series
               MyCloud 2.30.174

Some of the flaws Bercegay found were also discovered by researchers from the Exploitee.rs community last March.

D-Link and WD shared the same backdoor account back in 2014

Bercegay also points out another interesting detail. The researcher says that Western Digital appears to have shared firmware code —possibly through a third-party software supplier— with the D-Link DNS-320L ShareCenter.

Bercegay says old D-Link DNS-320L ShareCenter firmware code also came with the same backdoor, but D-Link removed it four years ago.

"It is interesting to think about how before D-Link updated their software two of the most popular NAS device families in the world, sold by two of the most popular tech companies in the world were both vulnerable at the same time, to the same backdoor for a while," the researcher says. "The time frame in which both devices were vulnerable at the same time in the wild was roughly from early 2014 to later in 2014 based on comparing firmware release note dates."

UPDATE: In a blog post, Western Digital says all issues reported by GulfTech were fixed in firmware version 2.30.172, and not 2.30.174, as Bercegay claimed.

Related Articles:

Firmware Vulnerabilities Disclosed in Supermicro Server Products

Malware Found in the Firmware of 26 Low-Cost Android Devices

An Up-to-Date Browser Should Keep Users Safe From Most Exploit Kits

New GZipDe Malware Drops Metasploit Backdoor

Microsoft Edge Bug Exposes Content From Other Sites via HTML5 Audio Tag