UPDATE: Western Digital has responded to our request for a statement, which we have published below.
Security researchers at Securify have discovered a vulnerability on Western Digital’s My Cloud NAS boxes which can grant attackers complete control over their contents. The exploit requires either local network or internet access to a My Cloud device in order to be run and bypasses the NAS box’s usual login requirements.
Called CVE-2018-17153, the bug could potentially also give hijackers the ability to run commands that would typically require administrative privileges. Once access has been gained, hackers can view, copy, delete or overwrite any files that are stored on the device.
Your cloud can be pwned
According to Securify, “The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1. Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie.”
Cutting through the jargon, that essentially means it’s the way WD My Cloud sets up an admin session connected to an IP address that raises the vulnerability. By simply adding the cookie username=admin to an HTTP CGI request sent via a local network or internet connection, anyone can gain access to the content stored on the NAS box.
Securify raised the issue with Western Digital in April, when the flaw was first discovered, but never heard back from the company. After five months of silence from WD, Securify has decided to publicly disclose the vulnerability.
We contacted Western Digital for a comment and the company has confirmed that a firmware update will be deployed shortly to fix the issue. “We are in the process of finalizing a scheduled firmware update that will resolve the reported issue,” WD responded in an email. “We expect to post the update on our technical support site at https://support.wdc.com/ within a few weeks.”