'I am admin' bug turns WD's My Cloud boxes into Everyone's Cloud

Subject borrowed from El Reg:

https://www.theregister.co.uk/2018/09/18/remote_access_vulnerability_western_digital_my_cloud/

More details here:

https://www.securify.nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html

Tested versions

This vulnerability was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.30.172. This issue is not limited to the model that was used to find this vulnerability since most of the products in the My Cloud series share the same (vulnerable) code.

Fix

There is currently no fix available.

Thoughts?

1 Like

Yep. Here we go again. Another vulnerability reported to WD and no action publicly taken to fix the apparent vulnerability (for over a year). From the securify.nl article:

Tested versions

This vulnerability was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.30.172. This issue is not limited to the model that was used to find this vulnerability since most of the products in the My Cloud series share the same (vulnerable) code.

Fix

There is currently no fix available.

Timeline

  • 09 April 2017: Discovered vulnerability.
  • 10 April 2017: Reported to Western Digital customer support.
  • …: No more vendor response :confused:
  • 17 September 2018: Requested CVE
  • 18 September 2018: CVE-2018-17153 assigned
  • 18 September 2018: Published details

The following proof of concept demonstrates an attack abusing a user’s browser to remotely compromise (emphasis mine) a MyCloud device on a local network.

What I’m interested in knowing is whether this is going to be fixed by WD for My Cloud v1 (or whatever this model version was) as I think I did buy it nearly 5 years ago and it might be seen (by Western Digital, obviously) as reaching its EOL now…

Shocking enough this is already known publicly since March 2017 or even longer including various PoCs :confused:

Exploitee.rs » Blog Archive » Hacking the Western Digital MyCloud NAS (Login Bypass)
Western Digital MyCloud - Exploitee.rs

Not talking about all the other currently publicly known and unfixed vulns:

Edit

We are in the process of finalizing a scheduled firmware update that will resolve the issue, which doesn’t affect the My Cloud Home drive. Get more info on our blog, here: https://blog.westerndigital.com/western-digital-my-cloud-update/

Thanks for an update. I had a look at this link you supplied and can see neither My Cloud WDBCTL0020HWT 2TB model (confirmed as vulnerable in my OP above), nor 4 GB version (WDBCTL0040HWT) that I own.

Care to clarify this?

Would it also not be a good practice to list all vulnerabilities under the same link to ensure that you are aware of them all (and address either)?

@krzemien
My Cloud (Single Bay) WDBCTL with firmware string 04.0x.00-xxx is not affected
My Cloud (Single Bay) WDBCTL with firmware string 2.xx.xxx is affected

Thanks for clarifications.

Will there be a software update soon as well? Because honestly the WD My Cloud browser software is total garbage. No search function even.

1 Like

is there going to be a fix for the my cloud mirror ?
the only fix for (CVE-2018-17153) that can be found is not for the first gen

From SBrown’s link above it appears only the second gen Mirror has a fix. It is possible that like the first gen single bay My cloud the first gen Mirror may not be affected. Hopefully @SBrown can comment specifically on the first gen Mirror.

My Cloud OS 3 September 2018 Security Hotfix Firmware Download

Firmware Download

My Cloud Mirror, EX2 and EX4 2.11.xxx code line and auto updates for 2.30.xxx code line is scheduled to release very soon.