Western Digital resolves year-old password bypass bug in My Cloud NAS devices

The vulnerability can be exploited to give unauthenticated hackers full access to a device.

Western Digital has released a hotfix to resolve a serious authentication bypass vulnerability in the My Cloud product line which permits attackers to hijack and take full control of a vulnerable device.

The tech giant said late last week that the bug, CVE-2018-17153, will be resolved through a downloadable hotfix.

The patch will also be included in an over-the-air (OTA) update in the standard MyCloud firmware upgrade schedule.

The vulnerability, CVE-2018-17153, is described as an authentication bypass security flaw. When administrators log into the My Cloud platform, a server-side session is created which is tied to their IP address.

See also: Magecart claims another victim in Newegg merchant data theft

Unauthenticated attackers are able to create valid sessions without logging in with a password and are also able to call authenticated CGI modules by sending a tailored cookie in the HTTP request.

TechRepublic: How to automate setting a firmware password on Apple computers

"The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided," a description of the flaw, posted on MITRE, reads. "Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie."

If exploited, attackers are able to access the My Cloud control platform without the need for legitimate credentials, tamper with device settings as if they possessed admin privileges, flash the firmware, and conduct other malicious activities.

CNET: Google warns US senators of foreign hackers targeting their Gmail accounts

Western Digital My Cloud devices containing firmware before 2.30.196 are affected.

The vulnerability has been unpatched for over a year and was originally discovered by security researcher Remco Vermeulen. Despite a private disclosure close to a year ago. Vermeulen said that WD "doesn't take security very seriously" and "refused to acknowledge or fix the finding."

WD announced an incoming hotfix after media reports relating to the serious vulnerability. The researcher said in response, "Thanks for the heads up. Is it also possible to assign a single point of contact for future responsible disclosures?." At the time of writing, the company has not responded publicly.

If you wish to update manually, firmware updates are listed below.

The hotfix needs to be unzipped and saved under the .bin format. Users then need to open up the My Cloud dashboard interface, go to settings and "firmware update," and upload the file.

In June, Western Digital revealed new 10TB and 12TB drives designed to support the workload requirements of DVR and NVR systems which feature artificial intelligence (AI) capabilities.

ZDNet has reached out to WD with additional queries and will update if we hear back.

Previous and related coverage