Why should this vulnerability be considered important?
The vulnerability is relativity easy for an attacker to exploit without them needing to authenticate/login to the device. They need only to set the username=admin’ cookie to obtain admin/privileged access to the device due to a network CGI (defined) module containing a command that begins an administrative session tied to the IP address of the device but the attacker must first set bind the admin session to the IP address. They only then need to call the remote system and authenticate using the cookie with the value set (as detailed above).
Of even more concern than above; an attacker could leverage this vulnerability using a CSRF (CSRF, defined here and here)) attack within a malvertising (malicious adverts) (defined) campaign allowing them to compromise WD devices which are not connected to the internet. Separately; there was more than security researcher who discovered this vulnerability; I previously mentioned a researcher by the name of Zenofex; who not only contacted WD but the company refused to acknowledge r fix the issues raised. The group Zenofex is part of disclosed the vulnerability (along with other security concerns) during the Def Con security conference in 2017 and created a Metasploit module (defined). In mid-September it was estimated that there were more than 1,800 vulnerable WD devices visible online.
How can I protect myself from this vulnerability (and the other security concerns raised)?
If you own any of the devices listed below; please follow the links below to download and install updated firmware using the steps that WD provides:
- My Cloud FW 2.30.196
- My Cloud Mirror Gen2 FW 2.30.196
- My Cloud EX2 Ultra FW 2.30.196
- My Cloud EX2100 FW 2.30.196
- My Cloud EX4100 FW 2.30.196
- My Cloud DL2100 FW 2.30.196
- My Cloud DL4100 FW 2.30.196
- My Cloud PR2100 FW 2.30.196
- My Cloud PR4100 FW 2.30.196
Many thanks to BleepingComputer.com for these convenient links.
The firmware updates resolve many than the vulnerability discussed above (the updated OpenSSL, OpenSSH, jQuery and libupnp will also have significant security improvements). For example, please find below the list for the “My Cloud FW 2.31.149”:
- Resolved multiple command injection vulnerabilities including CVE-2016-10108 and CVE 2016-10107.
- Resolved multiple cross site request forgery (CSRF) vulnerabilities.
- Resolved a Linux kernel Dirty Cow vulnerability (CVE-2016-5195).
- Resolved multiple denial-of-service vulnerabilities.
- Improved security by disabling SSH shadow information.
- Resolved a buffer overflow issue that could lead to unauthenticated access.
- Resolved a click-jacking vulnerability in the web interface.
- Resolved multiple security issues in the Webfile viewer on-device app.
- Improved the security of volume mount options.
- Resolved leakage of debug messages in the web interface.
- Improved credential handling for the remote MyCloud-to-MyCloud backup feature.
- Improved credential handling for upload-logs-to-support option.
- Apache – v2.4.34
- PHP – v5.4.45
- OpenSSH – v7.5p1
- OpenSSL – v1.0.1u
- libupnp – v1.6.25 (CVE-2012-5958)
- jQuery – v3.3.1 (CVE-2010-5312)
If firmware is not yet present for your WD My Cloud NAS device, please follow the recommended steps from my previous post on WD My Cloud devices. Protecting these devices is especially important since NAS devices are often used for backups and to store precious/valuable data. Please also contact WD Customer Service to enquire about an update becoming available for your device.