CVE-2017-17560 - Western Digital MyCloud - 'multi_uploadify' File Upload (Metasploit)


#1

So, who at WD messed-up on the last few updates to put a script into the firmware that allows unauthenticated file uploads and is there any knowledge of any compromised WD MyClouds?

How many days since the release of this exploit to when WD’s released this very uber-urgent security update?

An assumption is that once the fix is installed on a compromised WD MyCloud system then the compromise code would be removed?

For me the update to 2.30.181 went well.

EDIT: Think I found my answer in: WD My Cloud NAS devices have hard-wired backdoor

So it’s been discovered January 8th and update released January 18th.

So, which Western Digital employee has been royally kicked in the backside for leaving a deliberate back door into the MyCloud firmware since version 2.30.165 or before?

WD’s blog on the matter: https://blog.westerndigital.com/western-digital-cloud-update/
GulfTech advisory: http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125


#2

Heheh… I’m fairly convinced WD had no idea because WD doesn’t write their own code, they likely contract it out. (Hence the D-Link “plug.”) I’m guessing one of two things happened:

  1. The same contracted agency that wrote D-Link’s code wrote WD’s Code, and either exclusivity clauses in one or both companies’ contracts were missing or ignored.
  2. Someone outright pirated portions of D-Link’s code and inserted it into WD’s code.

Either way, it reflects poorly on WD as it exhibits poor quality control.


#3

Yeah… Seen the finer parts of some of the articles. It’s worrying news.


#4

PS: Don’t try the link to set the Web UI language to any of the language codes. I thought I would try it and managed to break the Web UI quite well. I DoSed my own NAS by curiosity, It is possible to get the Web UI working again from using the broken Web UI if you know where you need to click on the web-page to get to the language option and set-up English from there.

So, unfortunately, the other listed vulnerability issues are still there.