Western Digital MyCloud NAS

Multiple Western Digital MyCloud Networked Attached Storage (NAS) devices are affected by several security flaws, varying in severity, that allow attackers to bypass authentication, execute code on the device, and upload or download user data.

Discovered by a security researcher who goes by the name of Zenofex, these security flaws have not been reported to Western Digital, are still unpatched, and with public exploit code is available for more than half of the vulnerabilities.

Multiple MyCloud models affected

According to Zenofex multiple WD MyCloud NAS device models are affected, such as:

  •     My Cloud
  •     My Cloud Gen 2
  •     My Cloud Mirror
  •     My Cloud PR2100
  •     My Cloud PR4100
  •     My Cloud EX2 Ultra
  •     My Cloud EX2
  •     My Cloud EX4
  •     My Cloud EX2100
  •     My Cloud EX4100
  •     My Cloud DL2100
  •     My Cloud DL4100

Zenofex's decision not to inform Western Digital came after the researcher attended a security conference last year, where other infosec professionals complained about Western Digital ignoring vulnerability reports.

It was at the same conference, Black Hat USA 2016, where Western Digital also won a Pwnie Award in a category called "Lamest Vendor Response."

"Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure is worked out," Zenofex argued his decision not to wait until Western Digital patches the security bugs.

"Instead we’re attempting to alert the community of the flaws and hoping that users remove their devices from any public facing portions of their networks, limiting access wherever possible," he added.

85 security flaws discovered

Zenofex, who's a member of the Exploitee.rs community, says he found a whopping total of 85 security issues. Proof-of-concept exploit code is available for 48 of these vulnerabilities on the Exploitee.rs wiki.

Based on the exploit code, many of these security flaws can be exploited by altering cookie values or embedding shell commands in cookie parameters.

More comlex attack scenarios include embedding malicious code inside image tags on websites MyCloud NAS owners may be visiting. When the image loads inside their browser, the exploit code executes against the local NAS drive and takes over the device.

The most severe of these issues, according to Zenofex, is authentication bypass issue, which ironically was also the easiest to exploit, requiring only the modification of cookie session parameters.

Ironically, while Zenofex was investigating the login bypass problem, Western Digital issued a MyCloud firmware update that introduced a new bug into the login mechanism, which now allows attackers to execute code using the login mechanism by embedding shell commands via cookie parameters.

Despite the severity and evolution of this particular issue, the other flaws shouldn't be ignored, since some also allow remote command execution, granting the attacker the right to run shell commands on MyCloud devices.

And since Murphy's Law applies to hardware devices as well, things went wrong all the way, and the commands aren't executed under a limited user, but run under root, giving attackers full control over affected devices, allowing them to upload or download data at will.

Below is a video recorded by Zenofex showing a few of the security flaws in action