Several critical vulnerabilities and a hardcoded backdoor was discovered in WD My Cloud storage devices by researchers allowing hackers unrestricted root access
Cybersecurity experts discovered hard coded backdoor access to WD My Cloud storage devices allowing unrestricted root access to hackers. Several security vulnerabilities were also spotted along with.The vulnerability gives room for remote attackers to download and upload files without permission and to inject commands.These vulnerabilities were discovered by James Bercegay of GulfTech research and development team and published an advisory.
Read more on: Forever 21 Breach Exposes Customer Credit Card Details, Confirms CompanyResearchers found a hardcoded backdoor in the device with credentials unchanged. Anybody can login into WD My Cloud device using "mydlinkBRionyg" as the administrator username and "abc12345cba" as the password.Once logged in, intruders can inject or execute any commands as root.“The triviality of exploiting this issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as "wdmycloud" and "wdmycloudmirror" etc.” said in the post published by researcher.It is interesting that another critical vulnerability discovered in the WD My Cloud device allows attackers unrestricted file upload access also. The vulnerability resides in "multi_uploadify.php" script because of the misuse and misunderstanding of gethostbyaddr () function used within the PHP by the developer.The attacker can also exploit this vulnerability to gain a remote shell as root by sending a post request that contains a file to upload to using the parameter "Filedata[0]". The location for the file to be uploaded to which is specified within the "folder" parameter, and of course a bogus "Host" header.The researcher also said that he has written a Metasploit module to exploit this issue. ”The module will use this vulnerability to upload a PHP webshell to the "/var/www/" directory. Once uploaded, the webshell can be executed by requesting a URI pointing to the back door, and thus triggering the payload.”
Read more on: ATMs Operated by Sberbank Bank in Russia Hacked by Pressing Shift Key 5 TimesMiscellaneous vulnerabilities found in WD My Cloud device Cross-site request forgery:In the WD My Cloud web interface there is no real XSRF protection. It means If a logged in WD My Cloud admin visits any malicious website that can potentially make them lose control over their device.Command injection:Before a researcher from the "Exploiteers" team found several command injection flaws within WDMyCloud device. The GulfTech research team also found some command injection flaw in the device.Denial of Service:Here an attacker can abuse language preferences functionality and cause a DoS to the web interface. This is because any unauthenticated user can set the global language preferences for the entire WD My Cloud device and all of its users.Information disclosure:By just making a simple request to the web server it is possible for an attacker to dump a list of all users, including detailed user information.James Bercegay said that he informed the vendor about the issue in June 2017 and they demanded 90 days to resolve the issue, and Bercegay disclosed the vulnerability on Jan 03, 2017, there was no response from the vendor and the vulnerabilities are still unpatched.WD My Cloud Firmware Versions and Models affected by the vulnerabilities:My Cloud Gen 2, My Cloud EX2, My Cloud EX2 Ultra, My Cloud PR2100, My Cloud PR4100, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.WD My Cloud and My Cloud Mirror firmware version 2.30.165 and earlier are also affected by the vulnerabilities.What is the Immediate Measure to be Taken?Users are strictly advised to disconnect any affected devices from your local area connection and restrict internet access to the device until the patches are released as a preventive measure.
Read more on: Meltdown and Spectre Flaw Affect almost Every Processor Since 1995