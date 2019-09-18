from the you-get-a-cloud-and-you-get-a-cloud-and-... dept.
'I am admin' bug turns WD's My Cloud boxes into Everyone's Cloud:
Miscreants can potentially gain admin-level control over Western Digital's My Cloud gear via an HTTP request over the network or internet.
Researchers at infosec shop Securify revealed today the vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass password checks and login with admin privileges.
This would, in turn, give the scumbag full control over the NAS device, including the ability to view and copy all stored data as well as overwrite and erase contents. If the box is accessible from the public internet, it could be remotely pwned, it appears. Alternatively, malware on a PC on the local network could search for and find a vulnerable My Cloud machine, and compromise it.
According to Securify, the flaw itself lies in the way My Cloud creates admin sessions that are attached to an IP address. When an attacker sends a command to the device's web interface, as an HTTP CGI request, they can also include the cookie username=admin – which unlocks admin access.
[...] The team has posted a proof-of-concept exploit showing how the bug could be targeted with a few lines of code.
Securify said it reported the vulnerability to Western Digital back in April, but did not receive a response. Now, some five months later, they are finally disclosing the bug.
Western Digital did not return a Reg request for comment on the matter.
(Score: 2) by Immerman on Wednesday September 19, @09:58PM (2 children)
Yet another case study in why you should always encrypt anything remotely sensitive locally before putting it in "the cloud" - then the worst that can happen is it's deleted.
Which is why you also should never trust "the cloud" not to lose your stuff.
(Score: 0) by Anonymous Coward on Wednesday September 19, @10:10PM
There. FTFY.
That's all true, but the product in question [wdc.com] is a personal NAS device and, as such, isn't "someone else's servers." Which means your point is moot, at least WRT this issue.
(Score: 2) by krishnoid on Wednesday September 19, @10:12PM
I thought it was a case study about never trusting hard drive manufacturers to correctly write any software other than drive firmware and diagnostic tools.
(Score: 0) by Anonymous Coward on Wednesday September 19, @10:11PM
You're encroaching on Microsoft's territory with lame security like that.
(Score: 2) by Snotnose on Wednesday September 19, @10:23PM (1 child)
I've got one of these, it's my media server so if it gets pwned I don't care. Then again, it runs linux so suddenly I have an unknown root on my home network.
Outside of buying something else, how do I mitigate this?
The journey of a thousand miles may begin with the first step being in a pile of doggie doo.
(Score: 0) by Anonymous Coward on Wednesday September 19, @10:26PM
Unplug the network cable.