Top tip: Unplug your WD My Cloud boxen – now

Unless you want your backups to be in 'Someone Else's Cloud'

Western Digital is preparing patches for its My Cloud storage devices because they can be easily hijacked from across the internet or network.

At the time of writing, there's no fix, so the best thing to do is firewall or power off My Cloud kit and wait. Whoever can reach one of the at-risk storage system's builtin administrative web server – be it anyone on the public internet or someone within your network – can execute arbitrary commands on the machine and upload files. This is bad news for a SOHO backup system.

WD's firmware also has cross-site request forgery vulnerabilities, meaning a malicious webpage can potentially make a victim's browser connect to a My Cloud device on the network and compromise it. Surfing to a booby-trapped website would be enough to lose control of your My Cloud device. The affected firmware versions (and models) are:

At least version 2.21.126 (My Cloud), 2.11.157 (My Cloud EX2), 2.21.126 (My Cloud EX2 Ultra), 2.11.157 (My Cloud EX4), 2.21.126 (My Cloud EX2100), 2.21.126 (My Cloud EX4100), 2.11.157 (My Cloud Mirror), 2.21.126 (My Cloud Mirror Gen2), 2.21.126 (My Cloud PR2100), 2.21.126 (My Cloud PR4100), 2.21.126 (My Cloud DL2100), and 2.21.126 (My Cloud DL4100).

Word of the security blunders came from SEC Consult Vulnerability Lab, which published an advisory on Tuesday after someone went public with full details of the flaws. SEC Consult warned WD back in January that it had uncovered holes in the My Cloud firmware, and gave the vendor 90 days to fix the bugs before it would reveal its findings to the world.

Then, at the turn of March, someone calling themselves Zenofex blabbed there were more than 80 ways to get remote root on the boxes, covering "the entire series" of the hardware. These flaws can be exploited to bypass logins, perform arbitrary root file writes, and execute remote commands with or without authentication. This week, SEC Consult pulled the trigger and went into full disclosure mode.

"By combining the vulnerabilities documented in this advisory an attacker can fully compromise a WD My Cloud device. In the worst case one could steal sensitive data stored on the device or use it as a jump host for further internal attacks," SEC Consult noted. "SEC Consult recommends not to attach WD My Cloud to the network until a thorough security review has been performed by security professionals and all identified issues have been resolved."

Here's a video demonstrating the vulnerabilities:

Youtube Video

Zenofex says he or she discovered WD's security cockups simply by examining the authentication code in the My Cloud firmware's web-based user interface.

For example, the command injection bugs are simple: "A majority of the functionality of the WDCloud web interface is actually handled by CGI scripts on the device. Most of the binaries use the same pattern, they obtain post/get/cookie values from the request, and then use the values within PHP calls to execute shell commands. In most cases, these commands will use the user supplied data with little or no sanitisation."

SEC Consult Vulnerability Lab has published Curl commands for some of the vulnerabilities to prove the bugs are real. The lab's Wan Ikram and Fikri Fadzil also note there is "no anti-CSRF mechanism implemented for all accessible scripts in the firmware." ®

Similar topics

Other stories you might like

  • AsmREPL: Wing your way through x86-64 assembly language

    Assemblers unite

    Ruby developer and internet japester Aaron Patterson has published a REPL for 64-bit x86 assembly language, enabling interactive coding in the lowest-level language of all.

    REPL stands for "read-evaluate-print loop", and REPLs were first seen in Lisp development environments such as Lisp Machines. They allow incremental development: programmers can write code on the fly, entering expressions or blocks of code, having them evaluated – executed – immediately, and the results printed out. This was viable because of the way Lisp blurred the lines between interpreted and compiled languages; these days, they're a standard feature of most scripting languages.

    Patterson has previously offered ground-breaking developer productivity enhancements such as an analogue terminal bell and performance-enhancing firmware for the Stack Overflow keyboard. This only has Ctrl, C, and V keys for extra-easy copy-pasting, but Patterson's firmware removes the tedious need to hold control.

    Continue reading
  • Microsoft adds Buy Now, Pay Later financing option to Edge – and everyone hates it

    There's always Use Another Browser

    As the festive season approaches, Microsoft has decided to add "Buy Now, Pay Later" financing options to its Edge browser in the US.

    The feature turned up in recent weeks, first in beta and canary before it was made available "by default" to all users of Microsoft Edge version 96.

    The Buy Now Pay Later (BNPL) option pops up at the browser level (rather than on checkout at an ecommerce site) and permits users to split any purchase between $35 and $1,000 made via Edge into four instalments spread over six weeks.

    Continue reading
  • Visiting a booby-trapped webpage could give attackers code execution privileges on HP network printers

    Patches available for 150 affected products

    Tricking users into visiting a malicious webpage could allow malicious people to compromise 150 models of HP multi-function printers, according to F-Secure researchers.

    The Finland-headquartered infosec firm said it had found "exploitable" flaws in the HP printers that allowed attackers to "seize control of vulnerable devices, steal information, and further infiltrate networks in pursuit of other objectives such as stealing or changing other data" – and, inevitably, "spreading ransomware."

    "In all likelihood, a lot of companies are using these vulnerable devices," said F-Secure researchers Alexander Bolshev and Timo Hirvonen.

    Continue reading

Biting the hand that feeds IT © 1998–2021