Western Digital, one of the largest hard drive manufacturers in the world, recently fixed a litany of issues in its My Cloud line of storage devices, including a hardcoded backdoor and an unrestricted file upload vulnerability.
James Bercegay, a security researcher with Mississippi-based GulfTech Research and Development, said last week he initially contacted the company about the bugs back in June 2017. He finally disclosed the issues last Wednesday after Western Digital shipped a firmware update to address the vulnerabilities at the end of December.
The My Cloud line is one of the more popular lines of network attached storage devices. They help users organize photos, videos and other files, and allows for the automatic backup and synching of files across devices.
Until the company fixed the issue, the backdoor could have let a remote attacker gain unrestricted root access to the device. Bercegay called the backdoor “classic” in a detailed write up of the bugs. A user would simply need to login with a set of predetermined credentials and from there it wasn't too much work to gain complete control of the device.
The unrestricted file upload vulnerability stemmed from a misconfigured PHP file, multi_uploadify.php, that allowed Bercegay to gain a remote shell as root.
"All an attacker has to do is send a post request that contains a file to upload using the parameter "Filedata[0]", a location for the file to be upload to which is specified within the "folder" parameter, and of course a bogus "Host" header," the researcher wrote.
The researcher said he was abler to identify a handful of less critical bugs in the devices, including a cross site request forgery bug that could wipe devices, command injection bugs, a denial of service bug, and an information disclosue bug that could allow an attacker to dump a list of all of the device's users.
Bercegay said MyCloud 04.X Series and MyCloud 2.30.174 aren't vulnerable but that users running versions 2.30.165 or earlier of the following products should update to mitigate the flaws:
- MyCloud
- MyCloudMirror
- My Cloud Gen 2
- My Cloud PR2100
- My Cloud PR4100
- My Cloud EX2 Ultra
- My Cloud EX2
- My Cloud EX4
- My Cloud EX2100
- My Cloud EX4100
- My Cloud DL2100
- My Cloud DL4100
The company stressed in a blog entry post-dated to December 31 that it addressed the vulnerabilities with a firmware update (v2.30.172) it issued last year. The company says it is "not aware of any vulnerability to the security issues listed in the respective reports."
While it’s certainly encouraging Western Digital patched the vulnerabilities, it's less than encouraging it seemingly took the company six months to do it.
Regardless it's the second time in the past year researchers have sounded the alarm over major holes in My Cloud. Last January researchers with the Austrian firm SEC Consult Vulnerability Lab found critical flaws in the personal storage devices. Two months later researchers with security firm Exploitee.rs found 85 different security issues in the product line. While the bugs were found on a PR4100 NAS device, researchers said they existed across WD’s portfolio of MyCloud NAS devices, including DL4100, EX4, EX2 Ultra and PR2100.
The Exploitee.rs bugs - a collection of command injection vulnerabilities, a stack-based buffer overflow bug and a cross-site request forgery flaw - could have let an attacker gain complete control of devices.
