A security researcher is urging owners of Western Digital MyCloud NAS devices to update the firmware of their portable hard-drives to fix a series of important security bugs he reported to the vendor, among which there is an easy exploitable and wormable hardcoded (backdoor) account.
James Bercegay, a security researcher with GulfTech Research and Development, discovered and reported these flaws to Western Digital in June 2017.
The researcher published a detailed report last Wednesday after Western Digital released firmware updates.
The expansive report describes three main flaws that can be abused for different results. A short summary of all the flaws is available below, but for more detailed analysis of each vulnerability readers should refer to Bercegay's bug report:
1) Unrestricted file upload - A PHP file found on the WD MyCloud's built-in web server allows an attacker to upload files on the device. Bercegay says he used this flaw to upload web shells on the device, which in turn granted him control over the device.
2) Hardcoded backdoor account - An attacker can log into vulnerable WD MyCloud NAS devices using the username "mydlinkBRionyg" and the password "abc12345cba". Bercegay says the backdoor doesn't give attackers admin access, but he was able to exploit another flaw and get root permissions for the backdoor account.
3) CSRF (Cross-Site Request Forgery) - A CSRF bug that can be exploited for executing rogue commands on the device and for playing stupid pranks by resetting the device's backend panel interface language.
Of all flaws, Bercegay said the hardcoded backdoor account was the bigger issue because attackers could also attack devices isolated in local networks, not just NAS devices connected to the Internet.
"The triviality of exploiting this issues makes it very dangerous, and even wormable," the researcher says. "Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc."
The researcher provides an example exploit. The code below is for an image that when loaded on the computer of a WD NAS device owner will format his MyCloud device. Because the code can be hidden inside an ad or in a one-pixel iframe, the user won't even notice it when loaded on a page.
< img src="http://wdmycloud/cgi-bin/nas_sharing.cgi?dbg=1&cmd=51&user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&start=1&count=1;rm+-rf+/;" >
Firmware out for affected devices
Bercegay says Western Digital released firmware version 2.30.174 that removes the backdoor account and patches the reported flaws. The following WD MyCloud devices are using vulnerable firmware versions, according to Bercegay's report:
Some of the flaws Bercegay found were also discovered by researchers from the Exploitee.rs community last March.
Bercegay also points out another interesting detail. The researcher says that Western Digital appears to have shared firmware code —possibly through a third-party software supplier— with the D-Link DNS-320L ShareCenter.
Bercegay says old D-Link DNS-320L ShareCenter firmware code also came with the same backdoor, but D-Link removed it four years ago.
"It is interesting to think about how before D-Link updated their software two of the most popular NAS device families in the world, sold by two of the most popular tech companies in the world were both vulnerable at the same time, to the same backdoor for a while," the researcher says. "The time frame in which both devices were vulnerable at the same time in the wild was roughly from early 2014 to later in 2014 based on comparing firmware release note dates."
UPDATE: In a blog post, Western Digital says all issues reported by GulfTech were fixed in firmware version 2.30.172, and not 2.30.174, as Bercegay claimed.