Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday September 19 2018, @08:40PM   Printer-friendly
from the you-get-a-cloud-and-you-get-a-cloud-and-... dept.

'I am admin' bug turns WD's My Cloud boxes into Everyone's Cloud:

Miscreants can potentially gain admin-level control over Western Digital's My Cloud gear via an HTTP request over the network or internet.

Researchers at infosec shop Securify revealed today the vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass password checks and login with admin privileges.

This would, in turn, give the scumbag full control over the NAS device, including the ability to view and copy all stored data as well as overwrite and erase contents. If the box is accessible from the public internet, it could be remotely pwned, it appears. Alternatively, malware on a PC on the local network could search for and find a vulnerable My Cloud machine, and compromise it.

According to Securify, the flaw itself lies in the way My Cloud creates admin sessions that are attached to an IP address. When an attacker sends a command to the device's web interface, as an HTTP CGI request, they can also include the cookie username=admin – which unlocks admin access.

[...] The team has posted a proof-of-concept exploit showing how the bug could be targeted with a few lines of code.

Securify said it reported the vulnerability to Western Digital back in April, but did not receive a response. Now, some five months later, they are finally disclosing the bug.

Western Digital did not return a Reg request for comment on the matter.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Immerman on Wednesday September 19 2018, @09:58PM (10 children)

    by Immerman (3985) on Wednesday September 19 2018, @09:58PM (#737256)

    Yet another case study in why you should always encrypt anything remotely sensitive locally before putting it in "the cloud" - then the worst that can happen is it's deleted.

    Which is why you also should never trust "the cloud" not to lose your stuff.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1, Informative) by Anonymous Coward on Wednesday September 19 2018, @10:10PM (5 children)

    by Anonymous Coward on Wednesday September 19 2018, @10:10PM (#737261)

    Yet another case study in why you should always encrypt anything remotely sensitive locally before putting it in someone else's servers - then the worst that can happen is it's deleted.

    Which is why you also should never trust someone else's servers not to lose your stuff.

    There. FTFY.

    That's all true, but the product in question [wdc.com] is a personal NAS device and, as such, isn't "someone else's servers." Which means your point is moot, at least WRT this issue.

    • (Score: 2, Informative) by Anonymous Coward on Wednesday September 19 2018, @10:34PM (3 children)

      by Anonymous Coward on Wednesday September 19 2018, @10:34PM (#737279)

      I'm pretty sure, in these sad times, purchasing and installing something in your house doesn't make it "yours". If you're not in control of the software it runs your "myCloud" still belongs to whoever is.

      • (Score: 0) by Anonymous Coward on Wednesday September 19 2018, @11:13PM (2 children)

        by Anonymous Coward on Wednesday September 19 2018, @11:13PM (#737290)

        The My Cloud box runs Linux and can be accessed via the command line. What more do you want?

        • (Score: 0) by Anonymous Coward on Thursday September 20 2018, @12:44AM (1 child)

          by Anonymous Coward on Thursday September 20 2018, @12:44AM (#737317)

          No backdoors, mmk?!

          • (Score: 0) by Anonymous Coward on Thursday September 20 2018, @01:05AM

            by Anonymous Coward on Thursday September 20 2018, @01:05AM (#737323)

            If you enable remote access you opened the backdoor.

    • (Score: 2) by Immerman on Wednesday September 19 2018, @11:50PM

      by Immerman (3985) on Wednesday September 19 2018, @11:50PM (#737301)

      "The cloud" can as easily be your own servers. If it's designed to be accessible over the internet, it's vulnerable by design.

  • (Score: 2) by krishnoid on Wednesday September 19 2018, @10:12PM (1 child)

    by krishnoid (1156) on Wednesday September 19 2018, @10:12PM (#737263)

    I thought it was a case study about never trusting hard drive manufacturers to correctly write any software other than drive firmware and diagnostic tools.

    • (Score: 1) by pTamok on Thursday September 20 2018, @06:01AM

      by pTamok (3042) on Thursday September 20 2018, @06:01AM (#737399)

      I thought it was a case study about never trusting hard drive manufacturers to correctly write any software other than drive firmware and diagnostic tools.

      FIFY

      For the paranoid/realists: Never trust.

  • (Score: 0) by Anonymous Coward on Wednesday September 19 2018, @10:56PM

    by Anonymous Coward on Wednesday September 19 2018, @10:56PM (#737283)

    the worst that can happen is it's deleted.

    or have it cracked by faster machines in the future.

    the lesson is, never store anything *very* important on anything electronic. ever.

  • (Score: 2) by FatPhil on Wednesday September 19 2018, @11:47PM

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Wednesday September 19 2018, @11:47PM (#737300) Homepage
    Exactly - always remember to add ?username=admin&aeskey=4AjsI95g_02afFTT9 to the http request so that your encrypted data can be sent to you safely.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves