14 DAY TRIAL // Security researcher Remco Vermeulen reports that all Western Digital's My Cloud network-attached storage devices are vulnerable to an authentication bypass attack which gives full access to all data.
Western Digital My Cloud is a low-cost personal storage device with automatic backup designed and marketed by US data storage company Western Digital, used to backup anything from photos, videos, and documents, easily accessible from anywhere via the Internet.
CVE-2018-17153 is the CVE number of the vulnerability disclosed by Securify's Remco Vermeulen and discovered on April 9, 2017.
As Vermeulen states, unauthenticated attackers can easily exploit vulnerable Western Digital My Cloud devices to get admin privileges and gaining full control of the NAS.
Vermeulen tested the vulnerability Western Digital My Cloud NAS device running firmware version 2.30.172, but according to a confirmation post from Western Digital, the authentication bypass affects all their My Cloud products (minus the My Cloud Home).
Western Digital was notified about the My Cloud vulnerability a year ago, but they haven't acknowledged it until it had a CVE number
Attackers can exploit My Cloud's security weakness by sending a username=admin cookie inside an HTTP request to a server-side session created whenever an admin logs in through the web interface to call authenticated CGI modules.
According to Western Digital's post, "the vulnerability requires an attacker to already have access to a My Cloud owner’s local network or the My Cloud owner would have had to change factory settings in Dashboard Cloud Access allowing additional remote access to the My Cloud device."
The WD My Cloud models with the Dashboard Cloud Access feature and vulnerable are My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud EX2 Ultra, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100, My Cloud PR4100, My Cloud Mirror, and My Cloud Mirror Gen 2.
Western Digital says there is no fix for the issue at the moment, but the US data storage company is in the process of issuing a firmware update that will patch the reported vulnerability.
The even more surprising part of Remco Vermeulen's advisory is that he reported the authentication bypass bug to Western Digital's customer support and the company chose to ignore him until a CVE number was assigned.