This article is more than 1 year old
Top tip: Unplug your WD My Cloud boxen – now
Unless you want your backups to be in 'Someone Else's Cloud'
Western Digital is preparing patches for its My Cloud storage devices because they can be easily hijacked from across the internet or network.
At the time of writing, there's no fix, so the best thing to do is firewall or power off My Cloud kit and wait. Whoever can reach one of the at-risk storage system's builtin administrative web server – be it anyone on the public internet or someone within your network – can execute arbitrary commands on the machine and upload files. This is bad news for a SOHO backup system.
WD's firmware also has cross-site request forgery vulnerabilities, meaning a malicious webpage can potentially make a victim's browser connect to a My Cloud device on the network and compromise it. Surfing to a booby-trapped website would be enough to lose control of your My Cloud device. The affected firmware versions (and models) are:
At least version 2.21.126 (My Cloud), 2.11.157 (My Cloud EX2), 2.21.126 (My Cloud EX2 Ultra), 2.11.157 (My Cloud EX4), 2.21.126 (My Cloud EX2100), 2.21.126 (My Cloud EX4100), 2.11.157 (My Cloud Mirror), 2.21.126 (My Cloud Mirror Gen2), 2.21.126 (My Cloud PR2100), 2.21.126 (My Cloud PR4100), 2.21.126 (My Cloud DL2100), and 2.21.126 (My Cloud DL4100).
Word of the security blunders came from SEC Consult Vulnerability Lab, which published an advisory on Tuesday after someone went public with full details of the flaws. SEC Consult warned WD back in January that it had uncovered holes in the My Cloud firmware, and gave the vendor 90 days to fix the bugs before it would reveal its findings to the world.
Then, at the turn of March, someone calling themselves Zenofex blabbed there were more than 80 ways to get remote root on the boxes, covering "the entire series" of the hardware. These flaws can be exploited to bypass logins, perform arbitrary root file writes, and execute remote commands with or without authentication. This week, SEC Consult pulled the trigger and went into full disclosure mode.
"By combining the vulnerabilities documented in this advisory an attacker can fully compromise a WD My Cloud device. In the worst case one could steal sensitive data stored on the device or use it as a jump host for further internal attacks," SEC Consult noted. "SEC Consult recommends not to attach WD My Cloud to the network until a thorough security review has been performed by security professionals and all identified issues have been resolved."
Here's a video demonstrating the vulnerabilities:
Zenofex says he or she discovered WD's security cockups simply by examining the authentication code in the My Cloud firmware's web-based user interface.
For example, the command injection bugs are simple: "A majority of the functionality of the WDCloud web interface is actually handled by CGI scripts on the device. Most of the binaries use the same pattern, they obtain post/get/cookie values from the request, and then use the values within PHP calls to execute shell commands. In most cases, these commands will use the user supplied data with little or no sanitisation."
SEC Consult Vulnerability Lab has published Curl commands for some of the vulnerabilities to prove the bugs are real. The lab's Wan Ikram and Fikri Fadzil also note there is "no anti-CSRF mechanism implemented for all accessible scripts in the firmware." ®
Biting the hand that feeds IT
