Western Digital has released a hotfix to resolve a serious authentication bypass vulnerability in the My Cloud product line which permits attackers to hijack and take full control of a vulnerable device.
The tech giant said late last week that the bug, CVE-2018-17153, will be resolved through a downloadable hotfix.
The patch will also be included in an over-the-air (OTA) update in the standard MyCloud firmware upgrade schedule.
The vulnerability, CVE-2018-17153, is described as an authentication bypass security flaw. When administrators log into the My Cloud platform, a server-side session is created which is tied to their IP address.
Unauthenticated attackers are able to create valid sessions without logging in with a password and are also able to call authenticated CGI modules by sending a tailored cookie in the HTTP request.
"The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided," a description of the flaw, posted on MITRE, reads. "Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie."
If exploited, attackers are able to access the My Cloud control platform without the need for legitimate credentials, tamper with device settings as if they possessed admin privileges, flash the firmware, and conduct other malicious activities.
Western Digital My Cloud devices containing firmware before 2.30.196 are affected.
The vulnerability has been unpatched for over a year and was originally discovered by security researcher Remco Vermeulen. Despite a private disclosure close to a year ago. Vermeulen said that WD "doesn't take security very seriously" and "refused to acknowledge or fix the finding."
WD announced an incoming hotfix after media reports relating to the serious vulnerability. The researcher said in response, "Thanks for the heads up. Is it also possible to assign a single point of contact for future responsible disclosures?." At the time of writing, the company has not responded publicly.
If you wish to update manually, firmware updates are listed below.
The hotfix needs to be unzipped and saved under the .bin format. Users then need to open up the My Cloud dashboard interface, go to settings and "firmware update," and upload the file.
- My Cloud FW 2.30.196
- My Cloud Mirror Gen2 FW 2.30.196
- My Cloud EX2 Ultra FW 2.30.196
- My Cloud EX2100 FW 2.30.196
- My Cloud EX4100 FW 2.30.196
- My Cloud DL2100 FW 2.30.196
- My Cloud DL4100 FW 2.30.196
- My Cloud PR2100 FW 2.30.196
- My Cloud PR4100 FW 2.30.196
In June, Western Digital revealed new 10TB and 12TB drives designed to support the workload requirements of DVR and NVR systems which feature artificial intelligence (AI) capabilities.
ZDNet has reached out to WD with additional queries and will update if we hear back.