WD My Cloud backdoor for everyone

Recently, a vulnerability has been published in Western Digital NAS devices. Or rather, the natural built-in backdoor, for which currently there is still no official patch.

The backdoor allows you to get root access to devices simply by using the login and password for many NAS solutions.

More under the cut.

James Bercegay discovered the vulnerability in mid-2017. But after 6 months, which WD provided to fix the problem, the official patch was never released.
')
Details about the vulnerability and an example exploit was published on GulfTech on January 5, 2018.

An additional nuisance to the backdoor is that the username and password are hard-coded and cannot be simply changed - anyone can use the admin login "mydlinkBRionyg" and the password "abc12345cba" to access My Cloud and access the shell, which unleashes for a lot of options unauthorized use. The situation should sensitively affect the company's reputation - to overlook such shortcomings in the production of NAS network solutions, the security of which WD writes a lot (including in Habré) is very unprofessional.

If you think that your home NAS is not hanging openly from an Internet connection, but is simply turned on at home on your local network, it can still be attacked through another user device (computer, tablet, phone). A user from his device can visit a website on which an attacker hangs up a specially generated HTML image or IFrame, through which he can try to query devices on your local network using predictable host names and get unauthorized access without even trying to attack you with an active scan.

Models that are vulnerable:

My Cloud Gen 2
My Cloud EX2
My Cloud EX2 Ultra
My Cloud PR2100
My Cloud PR4100
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud DL2100
My Cloud DL4100

Metasploit is publicly available - anyone can download it and use it to attack NAS devices. Yes, this is the very moment when violinistddies are dangerous for each owner of the above models.

Until the manufacturer releases the patch and offers to fix the vulnerability, it is recommended to disable (or disable for the time of non-use) the devices in your LAN and block their access to the Internet.

Update 1:

According to rumors, the November patch solves the problem, thanks to FenrirR
Not Vulnerable:
MyCloud 04.X Series with MyCloud 2.30.174

But WD didn’t really spread about the existence of the problem, so many users never updated the firmware. For the actual test, you should not just try to enter your login and password, but use Metasploit.

Update 2:

The official blog of WD just the other day (January 9) published an article confirming the closure of this vulnerability with an update v2.30.172 .

In addition, it is reported that some models with firmware versions 2.xx, except for My Cloud Home , may contain a vulnerability in " Dashboard Cloud Access " and port forwarding , which WD employees are working on, and the patch will be released very soon. Up to this point, it is recommended to restrict access in LAN to trusted users and disable port forwarding.

Models that support Dashboard Cloud Access :
My Cloud EX2
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud EX2 Ultra
My Cloud DL2100
My Cloud DL4100
My Cloud PR2100
My Cloud PR4100
My cloud mirror
My Cloud Mirror Gen 2

And models with My Cloud Home do not contain such vulnerabilities, as they were architecturally designed from scratch, without legacy problems.