from the you-get-a-cloud-and-you-get-a-cloud-and-... dept.
'I am admin' bug turns WD's My Cloud boxes into Everyone's Cloud:
Miscreants can potentially gain admin-level control over Western Digital's My Cloud gear via an HTTP request over the network or internet.
Researchers at infosec shop Securify revealed today the vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass password checks and login with admin privileges.
This would, in turn, give the scumbag full control over the NAS device, including the ability to view and copy all stored data as well as overwrite and erase contents. If the box is accessible from the public internet, it could be remotely pwned, it appears. Alternatively, malware on a PC on the local network could search for and find a vulnerable My Cloud machine, and compromise it.
According to Securify, the flaw itself lies in the way My Cloud creates admin sessions that are attached to an IP address. When an attacker sends a command to the device's web interface, as an HTTP CGI request, they can also include the cookie username=admin – which unlocks admin access.
[...] The team has posted a proof-of-concept exploit showing how the bug could be targeted with a few lines of code.
Securify said it reported the vulnerability to Western Digital back in April, but did not receive a response. Now, some five months later, they are finally disclosing the bug.
Western Digital did not return a Reg request for comment on the matter.
(Score: 2) by Immerman on Wednesday September 19 2018, @09:58PM (10 children)
Yet another case study in why you should always encrypt anything remotely sensitive locally before putting it in "the cloud" - then the worst that can happen is it's deleted.
Which is why you also should never trust "the cloud" not to lose your stuff.
(Score: 1, Informative) by Anonymous Coward on Wednesday September 19 2018, @10:10PM (5 children)
There. FTFY.
That's all true, but the product in question [wdc.com] is a personal NAS device and, as such, isn't "someone else's servers." Which means your point is moot, at least WRT this issue.
(Score: 2, Informative) by Anonymous Coward on Wednesday September 19 2018, @10:34PM (3 children)
I'm pretty sure, in these sad times, purchasing and installing something in your house doesn't make it "yours". If you're not in control of the software it runs your "myCloud" still belongs to whoever is.
(Score: 0) by Anonymous Coward on Wednesday September 19 2018, @11:13PM (2 children)
The My Cloud box runs Linux and can be accessed via the command line. What more do you want?
(Score: 0) by Anonymous Coward on Thursday September 20 2018, @12:44AM (1 child)
No backdoors, mmk?!
(Score: 0) by Anonymous Coward on Thursday September 20 2018, @01:05AM
If you enable remote access you opened the backdoor.
(Score: 2) by Immerman on Wednesday September 19 2018, @11:50PM
"The cloud" can as easily be your own servers. If it's designed to be accessible over the internet, it's vulnerable by design.
(Score: 2) by krishnoid on Wednesday September 19 2018, @10:12PM (1 child)
I thought it was a case study about never trusting hard drive manufacturers to correctly write any software other than drive firmware and diagnostic tools.
(Score: 1) by pTamok on Thursday September 20 2018, @06:01AM
I thought it was a case study about never trusting hard drive manufacturers to correctly write any software
other than drive firmware and diagnostic tools.FIFY
For the paranoid/realists: Never trust.
(Score: 0) by Anonymous Coward on Wednesday September 19 2018, @10:56PM
or have it cracked by faster machines in the future.
the lesson is, never store anything *very* important on anything electronic. ever.
(Score: 2) by FatPhil on Wednesday September 19 2018, @11:47PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 1, Funny) by Anonymous Coward on Wednesday September 19 2018, @10:11PM
You're encroaching on Microsoft's territory with lame security like that.
(Score: 2) by Snotnose on Wednesday September 19 2018, @10:23PM (9 children)
I've got one of these, it's my media server so if it gets pwned I don't care. Then again, it runs linux so suddenly I have an unknown root on my home network.
Outside of buying something else, how do I mitigate this?
When the dust settled America realized it was saved by a porn star.
(Score: 2, Insightful) by Anonymous Coward on Wednesday September 19 2018, @10:26PM (1 child)
Unplug the network cable.
(Score: 2) by MostCynical on Wednesday September 19 2018, @10:47PM
Torn between "touché" and "insightful"
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Wednesday September 19 2018, @11:16PM (1 child)
In the UI disable the remote/cloud access. That's all it takes (at least until they update the firmware).
(Score: 2) by Snotnose on Thursday September 20 2018, @12:02AM
Ahhh, I done did this first time I powered it up. I'm not totally stupid, just slow at times :)
When the dust settled America realized it was saved by a porn star.
(Score: 3, Informative) by PartTimeZombie on Wednesday September 19 2018, @11:18PM (2 children)
You really should use something else.
There are any number of really good Linux or BSD based server OS's that are really easy to set up and run with just a little networking knowledge.
Here's a list off the top of my head:
ClearOS
FreeNAS
NAS4Free (might be called something else now)
Nethserver
Zentyal
All of those are better than what you have. They can all run headless, and will act as great media servers, plus almost any other network service you might require.
Oh yes. They are all free as well.
I also have made the mistake of purchasing a WD My Cloud at one point. They are rubbish.
(Score: 2) by Snotnose on Thursday September 20 2018, @12:10AM (1 child)
The included backup software is worse than "totally sucks", but using different backup software works great. Haven't had any problems with it since I ditched that.
Why do you say they are rubbish?
I've got a 2 TB unit I bought 5-6 years ago. Saw a 6 TB for $100, been thinking of getting it to use as a backup. Which is odd because, until I got a Plex media server this drive was my backup and got used maybe 1 hour a week (backups). Now it's 3-4 hours/day (watching/listening to media, + backups).
When the dust settled America realized it was saved by a porn star.
(Score: 2) by PartTimeZombie on Thursday September 20 2018, @01:04AM
I think they're rubbish because they tend to be crappy quality, but you seem to have had your money's worth, so good luck to you.
You've used the magic word "backup" which as we all know doesn't mean what some people think it means.
(Score: 2) by Kilo110 on Wednesday September 19 2018, @11:18PM
Do you have an old computer or raspberry pi lying around you could repurpose?
(Score: 2) by NotSanguine on Thursday September 20 2018, @12:33AM
Disable external access to the device?
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Wednesday September 19 2018, @11:01PM
When you share a chair, you take a friend off the floor,
When you share an umbrella, you can let it pour,
Sharing with friends, who could ask for more?
Sharing is caring for someone else. Sharing is caring for someone else.
When you give a hug, you get one, tool
When you give a smile, it comes right back to you.
giving from the heart is the thing to do.
Sharing is caring for someone else. Sharing is caring for someone else.
When you share your feelings others understand.
Tell us when you feel happy, angry or sad,
And if a friend seems lonely won't you take his/her hand, and say,
Sharing is caring for someone else. Giving something away gives you something back.
(Score: 2) by drussell on Wednesday September 19 2018, @11:34PM
Wow, send a request with "username=admin"
That's some top notch, high grade security there.... Well done!
:facepalm:
(Score: 2) by jelizondo on Thursday September 20 2018, @02:24AM
He believes he is the only one entitled to be root [soylentnews.org] 😄
(Score: 1, Touché) by Anonymous Coward on Thursday September 20 2018, @02:54AM
The disk is ntfs formatted on a Linux os. The Read throughput is so slow it makes stealing data impossible