Multiple vulnerabilities and a hard-coded backdoor were discovered in Western Digital’s My Cloud network attached storage (NAS) devices that could allow remote attackers to gain unrestricted root access to the device. GulfTech disclosed the security issues to Western Digital in mid-2017 and six months later, full details and Proof-of-Concept (PoC) exploit have become available online. Western Digital released fixes in November last year, but it is unclear if all security issues have been addressed.
Western Digital’s My Cloud NAS is a personal cloud storage unit that organizes photos and videos. It is listed on Amazon as the current best-selling NAS and is widely used by users and businesses. Its main purpose is to host files, and is capable of automatically backing up and syncing them with various cloud and web-based services.
The most serious vulnerability found in My Cloud NAS can allow a remote attacker to upload an arbitrary file to the server running on the vulnerable storage devices connected to the internet. The vulnerability was found residing in the multi_uploadify.php script due to the developer’s wrong implementation of gethostbyaddr() PHP function. This vulnerability can be easily exploited to gain a remote shell as root by sending a post request containing a file to upload using the parameter Filedata.
GulfTech also discovered a backdoor that bears the admin username ‘mydlinkBRionyg’ and password ‘abc12345cba.’ Anyone can just log into My Cloud devices with the said credentials, which were hardcoded into the binary and cannot be changed. This backdoor access can also allow malicious actors to access code that is vulnerable to command injection. It can spawn a root shell as well.
Other flaws found in the storage devices include cross site request forgery, command injection, denial of service, and information disclosure.
The vulnerability affects the following My Cloud NAS versions:
Products that are under firmware version 4.x are not affected.
Users can download the latest patches for My Cloud NAS devices here. It's recommended that users disconnect unpatched devices from the local area network (LAN) and block their internet access to avert any potential compromise.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.