WD My Cloud NAS boxes can be hacked over the internet, claim researchers

UPDATE: Western Digital has responded to our request for a statement, which we have published below.

Security researchers at Securify have discovered a vulnerability on Western Digital’s My Cloud NAS boxes which can grant attackers complete control over their contents. The exploit requires either local network or internet access to a My Cloud device in order to be run and bypasses the NAS box's usual login requirements.

Called CVE-2018-17153, the bug could potentially also give hijackers the ability to run commands that would typically require administrative privileges. Once access has been gained, hackers can view, copy, delete or overwrite any files that are stored on the device.

Your cloud can be pwned

According to Securify, "The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1. Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie."

Cutting through the jargon, that essentially means it’s the way WD My Cloud sets up an admin session connected to an IP address that raises the vulnerability. By simply adding the cookie username=admin to an HTTP CGI request sent via a local network or internet connection, anyone can gain access to the content stored on the NAS box.

Securify raised the issue with Western Digital in April, when the flaw was first discovered, but never heard back from the company. After five months of silence from WD, Securify has decided to publicly disclose the vulnerability.

We contacted Western Digital for a comment and the company has confirmed that a firmware update will be deployed shortly to fix the issue. "We are in the process of finalizing a scheduled firmware update that will resolve the reported issue," WD responded in an email. "We expect to post the update on our technical support site at https://support.wdc.com/ within a few weeks."

Sharmishta Sarkar
Managing Editor (APAC)

While she's happiest with a camera in her hand, Sharmishta's main priority is being TechRadar's APAC Managing Editor, looking after the day-to-day functioning of the Australian, New Zealand and Singapore editions of the site, steering everything from news and reviews to ecommerce content like deals and coupon codes. While she loves reviewing cameras and lenses when she can, she's also an avid reader and has become quite the expert on ereaders and E Ink writing tablets, having appeared on Singaporean radio to talk about these underrated devices. Other than her duties at TechRadar, she's also the Managing Editor of the Australian edition of Digital Camera World, and writes for Tom's Guide and T3.