Western Digital goes quiet on unpatched MyCloud flaw

Western Digital has failed to patch a serious security vulnerability in its MyCloud NAS drives that it was told about more than a year ago, researchers have alleged.

Worse, this is despite the fact that the issue was publicly disclosed as far back as DEF CON 25 in July last year.

The latest flaw, discovered independently by researchers at Securify and Exploitee.rs, is an authentication bypass that could give a local attacker complete admin control over drives.

The researchers started an admin session tied to their IP address and then fooled the drive into thinking this was authenticated by setting a username=admin cookie.

That was possible because:

The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1.

No admin password, nothing – just a simple CGI request to MyCloud’s web server and an attacker would be in via a local network (a remote compromise would depend on such access being enabled).

Securify has even published a proof-of-concept comprising a few lines of code – this isn’t major league hacking.

The only other requirement is that MyCloud is running the 2.x BusyBox firmware image, which would be the case for newer devices (older Debian Wheezy 3.x and 4.x versions are not affected).

Despite the flaw being reported to Western Digital from April 2017, neither set of researchers heard back, either to acknowledge the issue or offer a timescale for a fix. Tweeted Remco Vermeulen of Exploitee.rs which presented it at DEF CON:

Assigned CVE-2018-17153 this week, Western Digital MyCloud even has its own detailed Exploitee.rs Wiki, a database of knowledge on this product family’s weaknesses.

This last year has seen a bump in MyCloud security vulnerabilities, including several in January featuring hardcoded backdoors. On that occasion, Western Digital took months to release a patch, which it wasn’t clear even fixed all the issues.

It looks as if the company has problems with the way it processes vulnerabilities when they are reported to it.

Even if it considers the vulnerability to be a low-priority (that is not likely to be exploited) the 101 of good Vulnerability Disclosure Policies (VDPs) is that researchers should be kept in the loop.

It’s simple: when a fix becomes available, it should be posted on Western Digital’s support site.