Already a year, as in the WD My Cloud's home network storage, gaping hole

Comic xkcd



Western Digital's popular My Cloud network storage company discovered a vulnerability (CVE-2018-17153), which allows an attacker to bypass the authentication mechanism and create an administrative session tied to its IP address.



UPD The survey shows that almost every fourth Habr's reader is literally within walking distance from the vulnerable device.

')

Remco Vermelen, an information security researcher, revealed all the details of the vulnerability in popular Western Digital My Cloud devices. The expert went to this step when the company, after several appeals, did not close the gap 15 months later.



Vermelen informed the manufacturer about the problem back in April 2017, but at some point the company interrupted contact with the researcher for some unknown reason. Usually, “white” hackers give companies 90 days to close a detected vulnerability, but in our history, expectation is clearly sunk.







To enter the device’s web interface, it was enough to send a request to the /cgi-bin/network_mgr.cgi script, after setting the cookie “username = admin” , so that the system could provide administrative access to bypass the password request. The next step is to perform a POST request “cmd = cgi_get_ipv6 & flag = 1” , which will generate a session key and ensure the continuation of the session with the ability to access other scripts with administrator rights. A successful attack gives you complete control over device settings, as well as the ability to read, write and delete any data stored on the device.





The expert writes that the problem was found in the course of reverse engineering of CGI binary files. It reproduced the vulnerability on the My Cloud model WDBCTL0020HWT with firmware version 2.30.172, but assumes that the vulnerability is not limited to this model, since all My Cloud products seem to use the same vulnerable software.



Users are strongly advised to restrict access to the MyCloud web interface to the list of trusted addresses, as well as to deactivate the access function from public networks (Settings-> General-> Cloud Access). Out of the box, the Dashboard Cloud Access mode is disabled, but the attack is also possible from the local network.



By the way, on Habré there is a review of My Cloud 2 tb .