CVE-2018-9148 mitigation / fix?

Western Digital WD My Cloud v04.05.00-320 devices embed the session token (aka PHPSESSID) in filenames, which makes it easier for attackers to bypass authentication by listing a directory. NOTE: this can be exploited in conjunction with CVE-2018-7171 for remote authentication bypass within a product that uses My Cloud.

Haven’t found anything on this in so i’m currently asking myself if this is already fixed or not?

But not sure if this is a vulnerability and if WD should dispute it because AFAIK this is a standard functionality of PHP (session.save_handler = files + session.save_path = "/var/lib/php/sessions") placing this file there and the same will happen on most default PHP applications as well:

When a session is started by a PHP script a session cookie is sent to the client a.k.a. browser requesting the script. This session cookie named PHPSESSID by default contains a 32 character “session” ID which is set to expire when the session ends.

PHP session cookie

Firefox shows the PHP session cookie. Notice the content which contains the session ID and expires which says end of the session

On the server-side a file named sess_X (replace X with the 32 character session ID) is created in the location specified in session.save_path setting in the php.ini file. This is C:\WINDOWS\Temp for windows and /var/lib/php/session in Linux. This file contains the names of all session variables and their respective values. So when a user whose browser contains the session ID 7iisicf6j2fde3tfverbh9she3 accesses the website the server checks for the file named sess_7iisicf6j2fde3tfverbh9she3 in its session save path and accordingly uses the variables in that file.

Should be noted that the first generation single bay v4.x firmware My Clouds are End of Life. And the support status for the v4.x is End of Updates.

End of Updates - For product out of warranty and no longer manufactured in the last 4 years: end of software and technical support.

Chances are probably good that WD won’t update the v4.x firmware. The v4.x firmware hasn’t been updated in over a year (09/04/2019).

1 Like