VULNERABILITY with REST API

Hello,

I was recently asked by a charitable organisation to carry out some security tests on their new network additional storage device: MyCloud EX4100 (firmware version: 2.30.165).

After a number of hours of penetration testing attempts I found, what I believe to be a new vulnerability while testing the built in REST API feature.

This vulnerability allows ANY user to escalate their own privileges and communicate with all end points of the API at an administrator level. The user-come-attacker is effectively able to then use all of the HTTP verbs to carry out tasks such as adding, deleting and amending any user, viewing downloading/uploading any file or folder.

While this would require a user to be registered to the device this vulnerability renders the whole user privilege levels useless - with this you may as well have all users as admin; able to access all areas of your device.

This, in my mind is a security concern but I couldn’t find anywhere obvious to raise it with Western Digital directly.

Please could you: let me know what the best method of raising this concern with WD? and if this is already a known vulnerability or if you know of ones similar, please forgive me and point me in the direction of where they are documented.

Happy to provide more information upon request.

Thank you

Kind regards
@_Vintron

Hello Vintron,

Thank you for bringing this into our attention.

You should try contacting WD’s Technical Support about this.

To Contact WD for Technical Support

Thank you for your response - I will contact the Technical Support team and I will aim to keep this thread update with any progress.

Despite raising a support issue I am unfortunately still waiting for a response.

The automated response reads that I should hear within 2 working days however I posted this almost a week ago without any human response. This vulnerability continues to be an issue.

Is there any staff on here that could look into the status of this technical support request, or get the ball rolling with this one? REF: Case #082517-12266587

Hi Vintron ,

Someone from WD will going to contact you soon.

Thanks!

I have received an email today which informs me that my case will be closed within 24 hours as I have not responded, however - the last email I received was from Demi from Service Support which only informed me that my query had been passed to the engineering team and that they would be in touch, which clearly doesn’t demand a response from me.

Please can someone ensure that this ticket is NOT closed?!

As I said in my initial message - I am happy to provide further information (read: more technical details of the vulnerability) to assist you in the analysis in hope that this will be fixed as soon as possible.

I do not plan on disclosing this vulnerability as I hope to work with you to get this resolved, however I am unable to do so if this line of communication is closed.