Western Digital released a firmware update last year to address critical backdoor security vulnerabilities in its My Cloud NAS products but the company this week acknowledged more security issues with the devices still need to be addressed with firmware updates.
Western Digital addressed the My Cloud NAS security issues on certain models in a corporate blog post that was updated Tuesday. It stated that hackers could exploit default settings under several conditions: if they have access to the owners’ local network, if the My Cloud owner has enabled Dashboard Cloud Access on certain model or the My Cloud owners enabled additional “port forwarding” to the My Cloud devices.
“To mitigate the issue, we strongly recommend that My Cloud owners who have made such changes disable the Dashboard Cloud Access and ensure their router and My Cloud device are secure by disabling additional port-forwarding functionalities,” the blog post update said. “All affected My Cloud owners should restrict local network guest access only to people they trust. We are working on a firmware update for this issue and will make it available on our support download site as soon as possible.”
The NAS devices are popular among home users and small businesses. The models that are affected include My Cloud, My Cloud Mirror, My Cloud Gen2, My Cloud PR2100, My CloudPR4100, My cloud EX2 Ultra, My Cloud EX2 and EX4, My Cloud EX200, EX4100, DL2100 and DL4100.
James Bercegay, a Gulftech researcher, initially alerted Western Digital about two examples of NAS security flaws in June 2017. One flaw he discovered is My Cloud devices were vulnerable to unrestricted file uploading via the multi_uploadify.php script because it was protected “with faulty logic.”
“This gives you root access to the box,” Bercegay said in an interview Wednesday. “As the file is uploading, it gets written to the disk with the permissions of root. This was code left in there by accident… it makes a request though a non-existent file name of ‘mydlink.cgi.’ You can load up any file you want.”
Bercegay said he also discovered the NAS products have a hardcoded backdoor vulnerability via a single file called NAS_Sharing.cgi, which bad actors can use to gain control of the system to steal data and spread malware. The backdoor vulnerability gives access just by using the username “mydlinkBRionyg” and password “abc12345cba.”
“It gives you complete control,” he said. “You are the ultimate, super user on the device. It means you are God on that machine.”
Bercegay alerted Western Digital, one of the largest hard drive manufacturers in the world, about the NAS security vulnerabilities back in June 2017. The storage company requested the standard 90 days grace period to deal with the issue before disclosing it but it took it six months to release firmware update v2.30.172 that addressed the remote access bugs.
“The triviality of exploiting this issue makes it very dangerous and even wormable,” Bercegay wrote in a Jan. 4 report on the Gulftech website. “Not only that, but users locked to the LAN are not safe either. An attacker could literally take over your WD My Cloud by just having your visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WD My Cloud such as ‘wdmycloud’ and ‘wdmycloudmirror.’”
Western Digital responded to an interview inquiry regarding the NAS security issues with an email:
“Minor issues are being addressed in future updates,” the company stated in the email. “Additionally, the My Cloud Home model architecturally is designed new from the ground up. We are not aware of any vulnerability to the security issues listed in the respective reports.”
Bercegay said companies should be able to promptly respond to security issues, but sometimes are slow to do so.
“It does not take long to do these things,” he said. “They just don’t prioritize it. There is a lot of bureaucracy and red tape, especially when it comes to security. (These problems happen in the first place) because of sloppy coding. It’s like 1999 all over again.”
Western Digital was awarded PWNIE Award in 2016 for a vendor that most poorly responded to a security issue.