A security researcher is urging owners of Western Digital MyCloud NAS devices to update the firmware of their portable hard-drives to fix a series of important security bugs he reported to the vendor, among which there is an easy exploitable and wormable hardcoded (backdoor) account.

James Bercegay, a security researcher with GulfTech Research and Development, discovered and reported these flaws to Western Digital in June 2017.

The researcher published a detailed report last Wednesday after Western Digital released firmware updates.

RCE, backdoor, and an CSRF

The expansive report describes three main flaws that can be abused for different results. A short summary of all the flaws is available below, but for more detailed analysis of each vulnerability readers should refer to Bercegay's bug report:

1) Unrestricted file upload - A PHP file found on the WD MyCloud's built-in web server allows an attacker to upload files on the device. Bercegay says he used this flaw to upload web shells on the device, which in turn granted him control over the device.

2) Hardcoded backdoor account - An attacker can log into vulnerable WD MyCloud NAS devices using the username "mydlinkBRionyg" and the password "abc12345cba". Bercegay says the backdoor doesn't give attackers admin access, but he was able to exploit another flaw and get root permissions for the backdoor account.

3) CSRF (Cross-Site Request Forgery) - A CSRF bug that can be exploited for executing rogue commands on the device and for playing stupid pranks by resetting the device's backend panel interface language.

Flaws are wormable and can impact private NAS devices

Of all flaws, Bercegay said the hardcoded backdoor account was the bigger issue because attackers could also attack devices isolated in local networks, not just NAS devices connected to the Internet.

"The triviality of exploiting this issues makes it very dangerous, and even wormable," the researcher says. "Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as 'wdmycloud' and 'wdmycloudmirror' etc."

The researcher provides an example exploit. The code below is for an image that when loaded on the computer of a WD NAS device owner will format his MyCloud device. Because the code can be hidden inside an ad or in a one-pixel iframe, the user won't even notice it when loaded on a page.

< img src="http://wdmycloud/cgi-bin/nas_sharing.cgi?dbg=1&cmd=51&user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&start=1&count=1;rm+-rf+/;" >

Firmware out for affected devices

Bercegay says Western Digital released firmware version 2.30.174 that removes the backdoor account and patches the reported flaws. The following WD MyCloud devices are using vulnerable firmware versions, according to Bercegay's report:

Vulnerable:

MyCloud

MyCloudMirror

My Cloud Gen 2

My Cloud PR2100

My Cloud PR4100

My Cloud EX2 Ultra

My Cloud EX2

My Cloud EX4

My Cloud EX2100

My Cloud EX4100

My Cloud DL2100

My Cloud DL4100



Not Vulnerable:

MyCloud 04.X Series

MyCloud 2.30.174

Some of the flaws Bercegay found were also discovered by researchers from the Exploitee.rs community last March.

D-Link and WD shared the same backdoor account back in 2014

Bercegay also points out another interesting detail. The researcher says that Western Digital appears to have shared firmware code —possibly through a third-party software supplier— with the D-Link DNS-320L ShareCenter.

Bercegay says old D-Link DNS-320L ShareCenter firmware code also came with the same backdoor, but D-Link removed it four years ago.

"It is interesting to think about how before D-Link updated their software two of the most popular NAS device families in the world, sold by two of the most popular tech companies in the world were both vulnerable at the same time, to the same backdoor for a while," the researcher says. "The time frame in which both devices were vulnerable at the same time in the wild was roughly from early 2014 to later in 2014 based on comparing firmware release note dates."

UPDATE: In a blog post, Western Digital says all issues reported by GulfTech were fixed in firmware version 2.30.172, and not 2.30.174, as Bercegay claimed.