WD My Cloud NAS Hack Discovered

AlphaAtlas

[H]ard|Gawd
Staff member
Joined
Mar 3, 2018
Messages
1,713
Security researchers discovered an exploit that allows attackers to gain administrative access to WD My Cloud NAS devices. Simply having a cookie with the string "username = admin" when the device sends a login request will allow you to run administrative commands, such as reading or deleting files, without needing a password. The researchers tested proof of concept code on a model WDBCTL0020HWT NAS, but say the exploit works on most products in the My Cloud series. When it comes to responding to vulnerabilities, WD has a spotty track record, but thankfully they claim a patch for this exploit will be out in the coming weeks. Thanks to tikiman2012 for the tip.

It was found that it is possible for an unauthenticated attacker to create a valid session without requiring to authenticate. The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1. Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie.
 
Security researchers discovered an exploit that allows attackers to gain administrative access to WD My Cloud NAS devices. Simply having a cookie with the string "username = admin" when the device sends a login request will allow you to run administrative commands, such as reading or deleting files, without needing a password. The researchers tested proof of concept code on a model WDBCTL0020HWT NAS, but say the exploit works on most products in the My Cloud series. When it comes to responding to vulnerabilities, WD has a spotty track record, but thankfully they claim a patch for this exploit will be out in the coming weeks. Thanks to tikiman2012 for the tip.

It was found that it is possible for an unauthenticated attacker to create a valid session without requiring to authenticate. The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1. Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie.
ffs it's like they're not even trying. I love the "in the coming weeks" bit too - really shows they're placing a big emphasis on security...
epicfacepalm.gif
 
Yea this thing sucks... although since all my stuff is anonymous shared on my local network, I'm not sure I'm all that concerned.
 
This is why you should never use consumer (or enterprise) appliances.

Always build your own server, and run open source software on it.

Appliances of any kind (storage, routing, firewall, etc.) are always going to be relinquishing some level of control, and that's when shit like this happens.
 
This is why you should never use consumer (or enterprise) appliances.

Always build your own server, and run open source software on it.

Appliances of any kind (storage, routing, firewall, etc.) are always going to be relinquishing some level of control, and that's when shit like this happens.
I do this. This is why I was up til 2 a.m. trying to save my data when I suffered a problem. There's a learning curve.
 
This is why you should never use consumer (or enterprise) appliances.

Always build your own server, and run open source software on it.

Appliances of any kind (storage, routing, firewall, etc.) are always going to be relinquishing some level of control, and that's when shit like this happens.

Unless you are truly a GOD level coder and start from scratch, a roll your own will still have bugs and flaws from the base OS, device drivers, network stack, etc. The moment you download code to use in your appliance, you are trusting someone else and in most cases a lot of someone elses to have done their jobs correctly. Not much different then trusting WD. And even if you are a GOD level coder, you might get interrupted at a critical time by the dog/cat/kid/etc deciding now is wonderful time to test all their orifices at the same time on your favorite couch.

The real fail was allowing the data to be shared on the Internet. Get a flash drive and carry the crap you need with you, preferably encrypted. Leave the NAS in the house behind a properly configured firewall and have any important data encrypted and the unlock keys NOT on the LAN.
 
Unless you are truly a GOD level coder and start from scratch, a roll your own will still have bugs and flaws from the base OS, device drivers, network stack, etc. The moment you download code to use in your appliance, you are trusting someone else and in most cases a lot of someone elses to have done their jobs correctly. Not much different then trusting WD. And even if you are a GOD level coder, you might get interrupted at a critical time by the dog/cat/kid/etc deciding now is wonderful time to test all their orifices at the same time on your favorite couch.

The real fail was allowing the data to be shared on the Internet. Get a flash drive and carry the crap you need with you, preferably encrypted. Leave the NAS in the house behind a properly configured firewall and have any important data encrypted and the unlock keys NOT on the LAN.


All systems have flaws.

The difference is, I have zero confidence that WD (or even Synology) fix something like this quickly.

If you have your home built server, running on *nix with a ZFS storage pool shared on the network via Samba/NFS and there is a security flaw, that shit usually has available patches within hours.
 
and the sad thing about things like this is that most of the people who might be using such an easy to use/setup web based NAS.. will not ever know of such warnings
 
This is why you should never use consumer (or enterprise) appliances.

Always build your own server, and run open source software on it.

Appliances of any kind (storage, routing, firewall, etc.) are always going to be relinquishing some level of control, and that's when shit like this happens.
Too bad that 99% of the people that want/need a NAS have no idea how to roll their own, and half of the other 1% will do it wrong.
 
Too bad that 99% of the people that want/need a NAS have no idea how to roll their own, and half of the other 1% will do it wrong.

I liked computing better back when it was a geeky thing only people who actually knew what they were doing did.

These days when any old retard can own a computer, you get shit like this.

I'd argue, if you are not among the 0.5% who can do this right, you should try have a computer at all. Get off the internet please :p
 
This is why you never make these devices directly accessible from the web. VPN forever.
 
  • Like
Reactions: PaulP
like this
This is why you never make these devices directly accessible from the web. VPN forever.

Well, yeah, that's just common sense.

I have exactly two ports open in my firewall. One for SSH (with root login disabled, and on a non-standard very high port number) and one for VPN.

If I ever decided to do something silly like run a web server (LAMP or something like that) I'd have it on a dedicated machine (or at very least a dedicated VM, on a machine with Meltdown/Spectre fixed) with all network traffic on an isolated VLAN, controlled by a managed switch, with the configuration inaccessible from the machine hosting the webserver.

Some people just don't have a clue, and they shouldn't have these things.
 
This particular security exploit was discovered and reported to WD over a year ago.

The researchers in question tried to keep a dialog going until a fix was available, but WD went radio silent.
 
Reviving this cause I was considering getting a WD My Cloud Home 4TB drive, for photo/video backup:
Something like this:
https://www.ebay.com/itm/294894576066
Not sure this is web based - I would just use the iPhone app to back up photos/videos.

What about using Asus' app on my phone to control my router, is this a security no-no?
 
As an eBay Associate, HardForum may earn from qualifying purchases.
I keep a sticky note on my monitor that says:

user: ROOT
pw: h0n3yp07_bro
I have a note taped under my keyboard that reads L10WPX%ld*8()N because upside down it reads N()8*Pl%XdM017 or N()8*Pl%XdMOl7 or N()8*Pl%XdMO17or you get the idea. I hope who ever uses it lock my accounts trying. (it's not even close to my real PW).
 
Back
Top