The WD My Cloud line has been found to be vulnerable to multiple attacks and while one bug was fixed, other ones were introduced. That is the bad news and the maybe worse news is, that the flaws are public knowledge now. With that in mind, you might want to kill the internet connection to your WD My Cloud device, if you have one running.
Exploitee.rs discovered a number of unpatched security flaws in Western Digital’s My Cloud models that let remote intruders bypass the login system altogether, insert their own commands, and upload files without any permissions at all. Those are some serious flaws.
The reason that the researchers went public with their findings right away instead of reporting them back to WD is that WD has a very bad reputation in that regard. For example, the vendor won a “Pwnie for Lamest Vendor Response” at the last BlackHat conference in Vegas in a situation where the vendor ignored the severity of a set of bugs reported to them. By going public with the information, Exploitee.r hopes to force WD to react and patch the flaws.
While forcing WD’s hand, the researchers also put users are at risk until the flaws are patched. So it is highly recommended that you disconnect any of these devices from the Internet. They’ll still be vulnerable locally through your ethernet connections, but that is a lot harder for hackers to gain access to.
The full blog post goes into details on how to reproduce and exploit the hack through the web interface’s source code, and it also explains why it’s possible. In short, bad coding skills and misuse of commands. There is even a demo video on YouTube which shows you how it is done. The scary part is how easy it is. Now we only can hope that WD patches these issues as soon as possible.
Most, if not all, of the research, can be applied to the entire series of Western Digital My Cloud products. This includes the following devices:
- My Cloud
- My Cloud Gen 2
- My Cloud Mirror
- My Cloud PR2100
- My Cloud PR4100
- My Cloud EX2 Ultra
- My Cloud EX2
- My Cloud EX4
- My Cloud EX2100
- My Cloud EX4100
- My Cloud DL2100
- My Cloud DL4100
And number of bugs found in total is the scariest part:
- 1 x Login Bypass
- 1 x Arbitrary File Write
- 13 x Unauthenticated Remote Command Execution Bugs
- 70 x Authentication Required Command Execution Bugs (”Authentication Required” bugs can be reached with the login bypass bug.)
