WD My Cloud NAS devices have hard-wired backdoor

This is serious: some of the messed-up machines can host VMs and databases


UPDATE If you have a Western Digital My Cloud network attached storage device, it's time to learn how to update its OS because researcher James Bercegay has discovered a dozen models possess a hard-coded backdoor.

The backdoor, detailed here, lets anyone log in as user mydlinkBRionyg with the password abc12345cba.

WD mostly markets the My Cloud range as suited for file sharing and backup in domestic settings. But several of the models with the backdoor are four-disk machines suitable for use as shared storage in small business and also capable of being configured as iSCSI targets for use supporting virtual servers. Throw in the fact that some of the messed-up machines can reach 40TB capacity and there's the very real prospect that sizeable databases are dangling online.

Observant readers will have spotted that the username includes the string "dlink". D-Link, the company, also makes network attached storage (NAS) devices and Bercegay wrote that he found “references to file names and directory structure that were fairly unique, and from the D-link device. But, they also perfectly matched my WDMyCloud device”.

It became “pretty clear to me as the D-Link DNS-320L had the same exact hard coded backdoor and same exact file upload vulnerability that was present within the WDMyCloud. So, it seems that the WDMyCloud software shares a large amount of the D-Link DNS-320L code, backdoor and all.”

D-Link, he said, patched the DNS-320L in July 2014 (firmware version 1.0.6). Western Digital users can remove the backdoor by installing version 2.30.174 of their firmware.

This sort of thing isn't unusual in the small NAS world: Cisco's efforts were made by QNAP, while other OEMs aim to secure re-badging deals.

MyCloud versions that need patching include MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100. Products on firmware version 4.x aren't affected.

The file upload bug Bercegay mentions is in the multi_uploadify.php function.

An error in the handling of the gethostbyaddr() function lets an attacker “send a post request that contains a file to upload using the parameter 'Filedata[0]', a location for the file to be upload to which is specified within the 'folder' parameter, and of course a bogus 'Host' header.”

An attacker can upload a PHP Web shell to the target, ask for the URI pointing to the backdoor, and trigger the payload. ®

UPDATE, January 15th: WD has posted a fix, here. ®

Similar topics


Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022