WD My Cloud NAS boxes can be hacked over the internet, claim researchers

News
By Sharmishta Sarkar
published

Miscreants can remotely gain full control of devices

UPDATE: Western Digital has responded to our request for a statement, which we have published below.

Security researchers at Securify have discovered a vulnerability on Western Digital’s My Cloud NAS boxes which can grant attackers complete control over their contents. The exploit requires either local network or internet access to a My Cloud device in order to be run and bypasses the NAS box's usual login requirements.

Called CVE-2018-17153, the bug could potentially also give hijackers the ability to run commands that would typically require administrative privileges. Once access has been gained, hackers can view, copy, delete or overwrite any files that are stored on the device.

Your cloud can be pwned

According to Securify, "The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1. Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie."

Cutting through the jargon, that essentially means it’s the way WD My Cloud sets up an admin session connected to an IP address that raises the vulnerability. By simply adding the cookie username=admin to an HTTP CGI request sent via a local network or internet connection, anyone can gain access to the content stored on the NAS box.

Securify raised the issue with Western Digital in April, when the flaw was first discovered, but never heard back from the company. After five months of silence from WD, Securify has decided to publicly disclose the vulnerability.

We contacted Western Digital for a comment and the company has confirmed that a firmware update will be deployed shortly to fix the issue. "We are in the process of finalizing a scheduled firmware update that will resolve the reported issue," WD responded in an email. "We expect to post the update on our technical support site at https://support.wdc.com/ within a few weeks."

Sharmishta Sarkar
Sharmishta Sarkar
Managing Editor (APAC)

Sharmishta is TechRadar's APAC Managing Editor and loves all things photography, something she discovered while chasing monkeys in the wilds of India (she studied to be a primatologist but has since left monkey business behind). While she's happiest with a camera in her hand, she's also an avid reader and has become a passionate proponent of ereaders, having appeared on Singaporean radio to talk about the convenience of these underrated devices. When she's not testing camera kits or the latest in e-paper tablets, she's discovering the joys and foibles of smart home gizmos. She's also the Australian Managing Editor of Digital Camera World and, if that wasn't enough, she contributes to T3 and Tom's Guide, while also working on two of Future's photography print magazines Down Under.