Stories
Slash Boxes
Comments

SoylentNews is people

Western Digital My Cloud NAS Devices Wide Open to Attackers

posted by martyb on Friday March 10 2017, @02:52AM   Printer-friendly
from the Hey!-You!-Get-off-of-my-Cloud! dept.

Fnord666 writes:

Western Digital My Cloud NAS devices have again been found wanting in the security department, as two set[s] of researchers have revealed a number of serious flaws in the devices' firmware.

WD My Cloud is meant to be a private cloud environment hosted at home or at a small organization's office, and can be accessed either from a desktop located on the same network or remotely, with a smartphone, from wherever else in the world. Users can interact with it either via the administrative user interface or an application (that uses a RESTful API).

Zenofex, a member of the Exploitee.rs team, revealed the existence of a login bypass issue, several command injection flaws, and a number of other bugs on Saturday.

Then, on Tuesday, researchers with the SEC Consult Vulnerability Lab published a security advisory warning about:

  • The existence of an unauthenticated OS command injection vulnerability
  • The existence of an unauthenticated arbitrary file upload flaw (that could allow an attacker to upload a malicious file or script with OS commands into the devices' webserver), and
  • The fact that the devices' firmware has no anti-CSRF mechanisms.

"Due to [no anti-CSRF mechanisms], an attacker can force a user to execute any action through any script. As the [OS command injection and unauthenticated arbitrary file upload vulnerabilities] do not need authentication, those can be exploited via CSRF over the Internet as well!", the researchers noted.

Source:

https://www.helpnetsecurity.com/2017/03/08/western-digital-mycloud-nas-vulnerable/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Western Digital My Cloud NAS Devices Wide Open to Attackers | Log In/Create an Account | Top | 4 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Interesting) by Anonymous Coward on Friday March 10 2017, @11:40AM

    by Anonymous Coward on Friday March 10 2017, @11:40AM (#477310)

    Looks like it is only an issue if the device is publicly available, but the whole point is that the My Cloud device phones home and when you connect from WD servers the connection is already there.

    So no punching through firewalls and no public IP address.

    Not good but unless you have the IP public or on a public(think coffee shop or office) network not a "hair on fire" "rip out the cables" type of emergency?

    please let me know if I am wrong(on this).

    Starting Score:    0  points
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Total Score:   2