Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy Bug Security

'I'm Admin. You're Admin. Everyone is Admin.' Remote Access Bug Turns Western Digital My Cloud Into Everyone's Cloud (theregister.co.uk) 74

Researchers at infosec shop Securify revealed this week a vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass password checks and login with admin privileges. From a report:This would, in turn, give the attacker full control over the NAS device, including the ability to view and copy all stored data as well as overwrite and erase contents. If the box is accessible from the public internet, it could be remotely pwned, it appears. Alternatively, malware on a PC on the local network could search for and find a vulnerable My Cloud machine, and compromise it. According to Securify, the flaw itself lies in the way My Cloud creates admin sessions that are attached to an IP address. When an attacker sends a command to the device's web interface, as an HTTP CGI request, they can also include the cookie username=admin -- which unlocks admin access. Thus if properly constructed, the request would establish an admin login session to the device without ever asking for a password. In other words, just tell it you're the admin user in the cookie, and you're in. The researcher told TechCrunch that he reported the vulnerability to Western Digital last year, but the company "stopped responding."
This discussion has been archived. No new comments can be posted.

'I'm Admin. You're Admin. Everyone is Admin.' Remote Access Bug Turns Western Digital My Cloud Into Everyone's Cloud

Comments Filter:
  • "Hey, you, get off of my cloud."
    • "Hey, you, get off of my cloud."

      When I was your age, kids got yelled at for being on lawns and that's the way we liked it! Now I gotta yell at kids on clouds? I don't like it! [twimg.com]

      • >> "Hey, you, get off of my cloud."

        > When I was your age, kids got yelled at for being on lawns and that's
        > the way we liked it! Now I gotta yell at kids on clouds? I don't like it!

        I think you missed the reference. This is about the Rolling Stones song https://www.youtube.com/watch?... [youtube.com]

  • this is a feature not a bug, quit bugging us
    WD bug Support Team

    • Synology and QNAP have their issues, but one thing I am reasonably assured of with the Synology NAS models I have is decent security. It is very easy to use the onboard firewall, they have logging and reporting, onboard encryption for data (so if the drives or unit is taken, the data is protected), a backup utility to save data to an external drive, another NAS, or a cloud provider (with the option for clientside encryption.)

      On the cheap, I can buy a discontinued, new Synology 115j for $50 or so. Even thi

      • by anegg ( 1390659 )

        On the cheap, I can buy a discontinued, new Synology 115j for $50 or so.

        I'm curious - where can you buy a Synology 115j (new) for $50 or so? I didn't find one in a quick Google search... I ask because I'm looking for one.

  • I have one of these (Score:5, Informative)

    by wierd_w ( 1375923 ) on Wednesday September 19, 2018 @05:14PM (#57344788)

    First up--

    There are at least 3 kinds of MyCloud out there, not counting the multi-bay devices, which are probably likewise vunerable-- stay with me.

    First are the two generations of mycloud "personal cloud" devices. The last is the "Mycloud Home" device, which is more of a personal media server than an actual NAS. Of the first two, the generation 1 is possibly fixable by the end user easily. It uses a REAL root file system on persistent storage, meaning you can go in and make changes to the web UI and pals if you want to. The second generation, however, is a real bitch. I will wax philosophical on this latter model, as the multi-bay devices (EX2, EX2 ultra, and pals) are likewise afflicted, and based on the same codebase. In fact, you can poke at a system identification value, and enable features on the single bay units that are selling points on the more expensive dual bay versions, because they run the exact same software.

    The gen 2 MyCloud uses an initial ramdisk backed root file system, into which a cramfs container is mounted by the init script. The web UI and pals are hosted by this cramfs container, so unless you want to bake a brand new container to fix the CVE, you are boned.

    Also, the single bay mycloud units are now End of Life, as WD is no longer making them. They have switched whole hog to the MyCloud Home device, which is not a NAS appliance at all.

    Now, why I really dont give a flying rat's ass about the CVE:

    The MyCloud units DO NOT perform any signature checking against the kernel and ramdisk that the bootloader starts.

    SO-- You can TOTALLY replace that epic clusterfuck WD put on it, and replace it with a completely sane and sanitary minimalist debian installation, which lacks a web GUI to attack in the first place.

    Gen2 (and similar units) use uBoot. There are lots of good tools for making uBoot images and ramdisks. This system is easily made full-custom.

    • Or you could just shut off http services on the device. I don't think I've done anything but ssh into mine for like 4 years.

    • by ColaMan ( 37550 )

      The web UI and pals are hosted by this cramfs container, so unless you want to bake a brand new container to fix the CVE, you are boned.

      It's not that hard - especially if you're already know how to tinker with the web UI. Lift container off device, expand filesystem to a directory tree, do mods to tree, compact again. A few extra lines to type while doing your changes.

  • README.TXT (Score:5, Insightful)

    by devslash0 ( 4203435 ) on Wednesday September 19, 2018 @05:20PM (#57344828)
    Hey. Your friendly neighbour hacker here. I've noticed that you have terrible taste when it comes to porn so I've uploaded a few gig of some good stuff to your drive. You're welcome.
    • by G00F ( 241765 )

      Good start, don't forget to leave a autorun.inf with something along the lines of
      [autorun]
      shell\readme\command=notepad README.TXT

      Or rather, point them to an html page.

  • ...if it's too important to risk being ransom-wared, doxed, or generally abused in some way. If you must share files on a network with colleagues/friends/family, do it properly with a server, appropriate software, and hardened security.
    • If your computer can access it then it is "on the network", so unless you plan on disconnecting your computer NIC, connecting the cable to the NAS, accessing your data, unplugging the NAS, clearing your cache and rebooting your system, then reconnecting your NIC every time, you are not following your own advice. Nice try at sounding like you are a security expert, but you made it pretty clear that you don't understand how networks work.
      • I've been on /. for 15-20 years years now and I still don't understand how moderation works, nor how to moderate. That said, I would mod parent "computer can access it then it is "on the network"," way up.

        I have a small home network, main items being my WD NAS (which I now learn is insecure due to stupidity), my Plex box that plays media off that WD NAS, a printer, and, surprise! My laptop, which is where I control everything from.

        As time marches on I am less and less inclined to manually format my
      • Do you mean that the USB drive that periodically use to back-up my laptop is "on the network"? -- I find your definition overly broad and unhelpful.
        • If your computer is connected to the internet then when you have your USB drive plugged in and mounted it is on the network. No need for quotation marks, nor is it "my definition". If your computer has not been compromised then neither has the data on your drive, but if it has then your data on the FLASH drive is compromised as well, because when your computer is on the network, then so is any device to which it has access. This is actually the definition of networking.
          The OP likely meant "Don't open port
  • The last time they were told of a trivial exploit like this they ignored it for 6 months. [slashdot.org]
    Clearly Western Digital doesn't care whatsoever about security. (That vulnerability is also mentioned at the end of the article.)

    • by wierd_w ( 1375923 ) on Wednesday September 19, 2018 @06:36PM (#57345154)

      Indeed. This CVE has been known about, and known by WD for at least 2 firmware updates.

      WD seems staunchly unwilling to fix it. For whatever reason.

      Personally I find the software that runs on the MyCloud units to be... Sub-par on a wide assortment of levels, and have gone full custom debian some time ago. The device is MUCH more responsive without running ufraw-batch all the fucking time, and without a huge chunk of memory getting gobbled up by the ramdisk or WD's proprietary indexing daemon.

      I also get the benefits of a much more modern kernel (really, these things run a 3.x kernel! Blech!) with zram support (so the disk can actually go to fucking sleep, and not wake up when there is a paging operation).

      Sure, it requires you to know how to manage a linux server--- but the benefits! :P

      The Gen2's hardware is really not that bad for something the size of a small book, and which uses very little electricity. It can do a surprising number of tasks.

      (~1ghz dual core ARMv7 processor, 512mb RAM, gigabit wired ethernet, USB2 port-- for those interested)

  • by Qbertino ( 265505 ) <moiraNO@SPAMmodparlor.com> on Wednesday September 19, 2018 @05:29PM (#57344874)

    ... large scale n00bie-style f*ckups by professional companies in the data-security field absolutely bedazzling. Isn't something of this type gross neglect or something and can't they be sued into next wednesday for it?

    This is un-fucking-believable.

    • It's only surprising if you are new to the computer industry. Most of us already know how appalling it is that Windows is still a thing for example. The instances of grand scale incompetence causing this kind of issue where there is no accountability are so many I have to wonder if this is your first day on Slashdot?
    • by Anonymous Coward

      ...entirely at your own risk...WD not liable for anything...

      It goes downhill from there. Welcome to the world.

    • Though the manufacturing companies are pandering to the lazy users. The proper way to access a device on your LAN from the Internet is to set up your router with a VPN server. When you're away from home, you connect to your home router via the VPN. That'll give you access to your NAS, your security cameras, your media library, etc. while you're away from home.

      But users are too lazy to bother to set up a VPN server (even though many routers now come with one built-in) and manage a dynamic DNS domain na
    • by Cederic ( 9623 )

      Isn't something of this type gross neglect or something

      No, and yes.

      Introducing a vulnerability of this form is merely accidental and/or inexperienced. Even the best software engineers will cock up from time to time, and no affordable review process will catch everything.

      Failing to fix it for many months afterwards is however shitty indeed.

  • by davidwr ( 791652 ) on Wednesday September 19, 2018 @05:45PM (#57344964) Homepage Journal

    When will computers be subject to mandatory recalls when they have bugs that effectively prevent them from being used "as designed" or "as marketed?"

    Manufacturers would have a choice: Fix the problem or refund the purchase price.

  • My DL4100 NAS died this past weekend. Just the controller. Array, drives, data all fine. Controller just died 3mo after warranty ended. Luckily it used a standard container for the RAID5 set, and EXT4 so I was able to hook all 4 drives up to a system and drag the data off.

    Synology DS918+ now.

  • ... and I don't allow remote access.

    I have the shares disabled, as well.

    I'm a photographer with gigabytes of photos and I store them in multiple locations, including this NAS.

    Every now and then I log in through my WiFi and enable Share to copy new stuff to it.

    Then I disable all Shares.

    • by Cederic ( 9623 )

      ... and I don't allow remote access.
      [..]
      Every now and then I log in through my WiFi

      So all I need to do is get you to open a perfectly innocent web page on your primary computer with a specially crafted payload that connects to your device via your wireless LAN and does the nasty (including enabling remote access, if your firewall doesn't block that).

  • by Brett Buck ( 811747 ) on Wednesday September 19, 2018 @10:33PM (#57345960)

    If I didn't know better, I might come to the conclusion that storing sensitive data on someone else's hard drive, at random, was a risk and a bad idea.

    • by Cederic ( 9623 )

      Thank you for this insight but I am a little confused: What the fuck does this have to do with the topic at hand?

My sister opened a computer store in Hawaii. She sells C shells down by the seashore.

Working...