SoylentNews

Fnord666 [soylentnews.org] writes:

+ hardware+

Western Digital My Cloud NAS devices have again been found wanting in the security department, as two set of researchers have revealed a number of serious flaws in the devices' firmware.

WD My Cloud is meant to be a private cloud environment hosted at home or at a small organization's office, and can be accessed either from a desktop located on the same network or remotely, with a smartphone, from wherever else in the world. Users can interact with it either via the administrative user interface or an application (that uses a RESTful API).

Zenofex, a member of the Exploitee.rs team, revealed the existence of a login bypass issue, several command injection flaws, and a number of other bugs on Saturday.

Then, on Tuesday, researchers with the SEC Consult Vulnerability Lab published a security advisory warning about:

• The existence of an unauthenticated OS command injection vulnerability
• The existence of an unauthenticated arbitrary file upload flaw (that could allow an attacker to upload a malicious file or script with OS commands into the devices' webserver), and
• The fact that the devices' firmware has no anti-CSRF mechanisms.

"Due to [no anti-CSRF mechanisms], an attacker can force a user to execute any action through any script. As the [OS command injection and unauthenticated arbitrary file upload vulnerabilities] do not need authentication, those can be exploited via CSRF over the Internet as well!", the researchers noted [sec-consult.com].

Source:

https://www.helpnetsecurity.com/2017/03/08/western-digital-mycloud-nas-vulnerable/ [helpnetsecurity.com]

Original Submission