Slashdot Mirror

← Back to Stories (view on slashdot.org)

'I'm Admin. You're Admin. Everyone is Admin.' Remote Access Bug Turns Western Digital My Cloud Into Everyone's Cloud (theregister.co.uk)

Posted by msmash on from the Very-Digital-Inc dept.

Researchers at infosec shop Securify revealed this week a vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass password checks and login with admin privileges. From a report:This would, in turn, give the attacker full control over the NAS device, including the ability to view and copy all stored data as well as overwrite and erase contents. If the box is accessible from the public internet, it could be remotely pwned, it appears. Alternatively, malware on a PC on the local network could search for and find a vulnerable My Cloud machine, and compromise it. According to Securify, the flaw itself lies in the way My Cloud creates admin sessions that are attached to an IP address. When an attacker sends a command to the device's web interface, as an HTTP CGI request, they can also include the cookie username=admin -- which unlocks admin access. Thus if properly constructed, the request would establish an admin login session to the device without ever asking for a password. In other words, just tell it you're the admin user in the cookie, and you're in. The researcher told TechCrunch that he reported the vulnerability to Western Digital last year, but the company "stopped responding."

3 of 74 comments (clear)

  1. I have one of these by wierd_w · · Score: 5, Informative

    First up--

    There are at least 3 kinds of MyCloud out there, not counting the multi-bay devices, which are probably likewise vunerable-- stay with me.

    First are the two generations of mycloud "personal cloud" devices. The last is the "Mycloud Home" device, which is more of a personal media server than an actual NAS. Of the first two, the generation 1 is possibly fixable by the end user easily. It uses a REAL root file system on persistent storage, meaning you can go in and make changes to the web UI and pals if you want to. The second generation, however, is a real bitch. I will wax philosophical on this latter model, as the multi-bay devices (EX2, EX2 ultra, and pals) are likewise afflicted, and based on the same codebase. In fact, you can poke at a system identification value, and enable features on the single bay units that are selling points on the more expensive dual bay versions, because they run the exact same software.

    The gen 2 MyCloud uses an initial ramdisk backed root file system, into which a cramfs container is mounted by the init script. The web UI and pals are hosted by this cramfs container, so unless you want to bake a brand new container to fix the CVE, you are boned.

    Also, the single bay mycloud units are now End of Life, as WD is no longer making them. They have switched whole hog to the MyCloud Home device, which is not a NAS appliance at all.

    Now, why I really dont give a flying rat's ass about the CVE:

    The MyCloud units DO NOT perform any signature checking against the kernel and ramdisk that the bootloader starts.

    SO-- You can TOTALLY replace that epic clusterfuck WD put on it, and replace it with a completely sane and sanitary minimalist debian installation, which lacks a web GUI to attack in the first place.

    Gen2 (and similar units) use uBoot. There are lots of good tools for making uBoot images and ramdisks. This system is easily made full-custom.

    1. Re:I have one of these by wierd_w · · Score: 5, Informative

      Not really.

      The hardware is:

      1) Small. It fits neatly on a shelf, and is about the same size as a book.
      2) Very low power (electricity wise). It uses 12v @2A. Wooo. Such consumption.
      3) Not that weak really. It has a dual core Armv7 SoC running at ~1ghz, with 512mb of RAM, a SATA controller, a gigabit ethernet controller, and a USB3 controller.
      4) Not that expensive. Especially now that it is an end of life clearance item.

      It makes a pretty decent minecraft server, for instance. It would also make a good collection point for video surveillance systems using IP cameras (with backup to a better remote host at regular intervals).

      When planning *ANY* purchase, you should know exactly what you are getting, and why you are getting it. The advertised "persona cloud" functionality is *JUST* openvpn, being wrapped by WD's server front endpoints. (The MyCloud opens a stateful connection from inside your NAT firewall to the WD server farm, which then presents an accessable entrypoint to other users.) It is TOTALLY just a gimmick.

  2. Re:This isn't the first time by wierd_w · · Score: 3, Informative

    Indeed. This CVE has been known about, and known by WD for at least 2 firmware updates.

    WD seems staunchly unwilling to fix it. For whatever reason.

    Personally I find the software that runs on the MyCloud units to be... Sub-par on a wide assortment of levels, and have gone full custom debian some time ago. The device is MUCH more responsive without running ufraw-batch all the fucking time, and without a huge chunk of memory getting gobbled up by the ramdisk or WD's proprietary indexing daemon.

    I also get the benefits of a much more modern kernel (really, these things run a 3.x kernel! Blech!) with zram support (so the disk can actually go to fucking sleep, and not wake up when there is a paging operation).

    Sure, it requires you to know how to manage a linux server--- but the benefits! :P

    The Gen2's hardware is really not that bad for something the size of a small book, and which uses very little electricity. It can do a surprising number of tasks.

    (~1ghz dual core ARMv7 processor, 512mb RAM, gigabit wired ethernet, USB2 port-- for those interested)