Tag Archives: CSRF

WD Releases My Cloud NAS Firmware Updates

In the first half of 2017 I posted about vulnerabilities being publically (defined) within Western Digital (WD) My Cloud NAS devices. This vulnerability was designated as CVE-2018-17153 (defined).

Why should this vulnerability be considered important?
The vulnerability is relativity easy for an attacker to exploit without them needing to authenticate/login to the device. They need only to set the username=admin’ cookie to obtain admin/privileged access to the device due to a network CGI (defined) module containing a command that begins an administrative session tied to the IP address of the device but the attacker must first set bind the admin session to the IP address. They only then need to call the remote system and authenticate using the cookie with the value set (as detailed above).

Of even more concern than above; an attacker could leverage this vulnerability using a CSRF (CSRF, defined here and here)) attack within a malvertising (malicious adverts) (defined) campaign allowing them to compromise WD devices which are not connected to the internet. Separately; there was more than security researcher who discovered this vulnerability; I previously mentioned a researcher by the name of Zenofex; who not only contacted WD but the company refused to acknowledge r fix the issues raised. The group Zenofex is part of disclosed the vulnerability (along with other security concerns) during the Def Con security conference in 2017 and created a Metasploit module (defined). In mid-September it was estimated that there were more than 1,800 vulnerable WD devices visible online.

How can I protect myself from this vulnerability (and the other security concerns raised)?
If you own any of the devices listed below; please follow the links below to download and install updated firmware using the steps that WD provides:

Many thanks to BleepingComputer.com for these convenient links.

=======================

The firmware updates resolve many than the vulnerability discussed above (the updated OpenSSL, OpenSSH, jQuery and libupnp will also have significant security improvements). For example, please find below the list for the “My Cloud FW 2.31.149”:

Security Fixes

  • Resolved multiple command injection vulnerabilities including CVE-2016-10108 and CVE 2016-10107.
  • Resolved multiple cross site request forgery (CSRF) vulnerabilities.
  • Resolved a Linux kernel Dirty Cow vulnerability (CVE-2016-5195).
  • Resolved multiple denial-of-service vulnerabilities.
  • Improved security by disabling SSH shadow information.
  • Resolved a buffer overflow issue that could lead to unauthenticated access.
  • Resolved a click-jacking vulnerability in the web interface.
  • Resolved multiple security issues in the Webfile viewer on-device app.
  • Improved the security of volume mount options.
  • Resolved leakage of debug messages in the web interface.
  • Improved credential handling for the remote MyCloud-to-MyCloud backup feature.
  • Improved credential handling for upload-logs-to-support option.

Components Updated

  • Apache – v2.4.34
  • PHP – v5.4.45
  • OpenSSH – v7.5p1
  • OpenSSL – v1.0.1u
  • libupnp – v1.6.25 (CVE-2012-5958)
  • jQuery – v3.3.1 (CVE-2010-5312)

=======================

If firmware is not yet present for your WD My Cloud NAS device, please follow the recommended steps from my previous post on WD My Cloud devices. Protecting these devices is especially important since NAS devices are often used for backups and to store precious/valuable data. Please also contact WD Customer Service to enquire about an update becoming available for your device.

Thank you.

WD My Cloud NAS Vulnerabilities

=======================
Update: 12th April 2017:
=======================
Western Digital have made available firmware updates to their My Cloud EX2100 and EX4100 models. The updates are available from this page.

They resolve some of the critical vulnerabilities identified in these products. Steps to update the firmware are available in this Softpedia article.

Thank you.

=======================
Update: 22nd March 2017:
=======================
Western Digital have made available firmware updates to My Cloud Mirror, EX2 and EX4 models. The updates are available from http://support.wdc.com/downloads.aspx

They resolve some of the critical vulnerabilities identified in these products. Steps to update the firmware are available in this Softpedia article.

Thank you.

=======================
Original Post:
=======================
Earlier this month a freelance security researcher known as Zenofex publically disclosed (defined) a total of 85 security vulnerabilities within the Western Digital (WD) MyCloud Network Attached Storage (NAS)(defined) devices

The vulnerabilities consist of authentication bypasses and code execution (carrying out instructions/steps of an attacker’s choice) and the upload/download of the data the device contains. Since the researcher did not receive cooperation with addressing previously communicated vulnerabilities from WD in the past they chose not to responsibly disclose (defined) these vulnerabilities.

After this disclosure, SEC Consult Vulnerability Lab (SCVL) provided further details of these vulnerabilities to the wider security community. For some of the 85 issues disclosed they had contacted WD in January 2017 and disclosed some of the details on the 20th of February. These vulnerabilities range from : command injection vulnerabilities, a stack-based buffer overflow (defined) bug and a cross-site request forgery flaw (defined)

In December 2016 WD issued fixes for some of the vulnerabilities discovered but created further vulnerabilities which resulted in the very same outcome they were trying to address.

How can I protect myself from these vulnerabilities?
Unfortunately, due to the very large number of vulnerabilities disclosed it will take a significant duration of time to resolve them all (especially if inadvertently; further vulnerabilities become evident; as has happened before).

If you use this NAS device; the data it contains will be at elevated risk of compromise while WD works to resolve these vulnerabilities. I would recommend ensuring these devices are not accessible to the external internet. Shodan may be of assistance to you in determining this. More information on Shodan is available in a previous blog post.

Please create backups of the data these NAS devices contain and store them on other devices until these vulnerabilities are resolved. Monitor WD’s website and install new firmware releases as they become available.

While Western Digital issued fixes for some of the vulnerabilities in December 2016, the independent security researcher found the fixes created another vulnerability with the same results they intended to resolve.

In addition, within this ThreatPost article WD recommends:

“My Cloud users contact our Customer Service team if they have further questions; find firmware updates; and ensure their My Cloud devices are set to enable automatic firmware updates.”

I will update this post as new information on the relevant updates becomes available.

Thank you.

Belkin N600 DB Wireless Dual Band N+ Router Contains Unpatched Security Issues

A particular model of consumer/home user broadband router/wireless access point from Belkin has been found to be vulnerable to a set of security issues that can have potentially serious consequences.

The Belkin N600 DB Wireless Dual Band N+ router model F9K1102 v2 with firmware version 2.10.17 and possibly earlier are affected.

There are 5 sets of issues (4 of which have been assigned CVEs, defined):

Use of Insufficiently Random Values – CVE-2015-5987: This issue would allow an attacker to spoof Belkin’s firmware update servers and to connect to any device (server, computer etc.) an attacker chooses.

Cleartext Transmission of Sensitive Information: This issue is somewhat related to the above issue since firmware update requests could be intercepted thus allowing an attacker to substitute a firmware update with an update of their choice or prevent firmware updates from taking place. An attacker would first have to be able to conduct a man in the middle (MITM) attack (MITM, defined) first for these malicious capabilities to become available to them.

Use of Client-Side Authentication – CVE-2015-5989: Due to the means of how the router checks if a legitimate user of the router is logged in, these values can be manually manipulated to allow an attacker to log into the administration interface (a webpage shown to the user to allow them to change the settings of the router) of the router with the same permissions as the legitimate user. The attacker would already need access to your local area network (LAN) (the network within your home) to carry out this method of attack. Carrying out this attack remotely would not be possible.

Cross-Site Request Forgery (CSRF) – CVE-2015-5990: If the owner/user of the router is logged into the administrative interface of the router and clicks on a link (within another browser tab) or accesses a website of the attacker’s choice the attacker will obtain the same permissions as the legitimate user. This is known as a Cross-Site Request Forgery (CSRF) attack (CSRF, defined here and here). If the issue mentioned below is also present (namely no password set by the user to access the admin interface) the attacker would not need for the user to be already logged in to use this attack against the legitimate user.

Credentials Management – CVE-2015-5988: If an attacker already has access to your home network they can access the admin interface of the router if the default configuration of the router has not been changed, namely if no password has been set.

Why Should These Issues Be Considered Important?
If an attacker can obtain full access to your router, they can change any setting they wish e.g. the DNS settings (as discussed in a previous post), disconnect you and other legitimate users from your own internet connection and have the possibility of installing rogue firmware onto your router.

While only one issue (Use of Insufficiently Random Values) can be exploited remotely with the remaining issues requiring access to your network or a man in the middle (MITM) connection these issues should still be considered serious since they have the potential to take control of your router away from you and denying access to your internet connection. The devices you have connected to the router may also visit websites that you didn’t intend (due to the DNS settings being changed as mentioned above).

How Can I Protect Myself From These Issues?
While Belkin has not released a firmware update to resolve these issue and may choose not to do so, I would recommend following the advice provided in this CERT advisory. Essentially not allowing untrusted users to access your home network and having strong passwords for your Wireless LAN key and password for the routers admin interface.

If you are an owner of this router or know someone who is, I hope that the above advice is useful to you in preventing any malicious user from using these issues against you or someone you know.

Thank you.

Web Browsers Exploited To Attack Unpatched Consumer Routers

A new tool used by cybercriminals has been developed that once a user visits a compromised website, the tool attempts to exploit unpatched security vulnerabilities in the user’s internet router. The tool makes the assumption that the routers firmware is not up to date. A router is a device usually provided by your ISP (Internet Service Provider) allowing you access to the internet, routers usually provide both wired and wireless internet access. A router connects to the internet via your fiber broadband connection or via your traditional telephone line (allowing a slower broadband connection). It should be noted that currently only consumer routers are affected. More details of the affected router models are provided in this blog post from French malware researcher Kafeine.

This exploit tool first uses a cross-site request forgery (CSRF) technique to determine the manufacturer of the router being used. Based on those results the attack then uses an exploit for known issues with that router (e.g. previously patched (fixed) flaws in D-Link, Belkin and TP-Link routers) attempting to access the routers administration page. If that is not successful common passwords are then used trying to gain access. The goal of accessing the administrative interface of your router (a settings page usually accessed using a web browser) is to change the DNS server IP addresses of your router from the addresses assigned by your ISP or from the IP addresses for DNS servers of your choice.

Why Does An Attacker Want To Change My Router’s DNS Settings?
DNS (Domain Name Service) works very much like looking a number up in a phone book. For example, when you type www.google.com into your web browser, your browser will check with your router to find out how to get to that website, it does this by “asking” the router what IP address is associated with www.google.com ? Once the router replies with the IP address, your web browser visits that IP address and displays Google’s homepage.

Your router finds out the IP address of Google by querying the DNS servers, the IP addresses of these servers that it has stored within it. These servers obtain the IP address of Google for your router and provide it to your router. If an attacker can change your routers DNS server settings, your router will then check with the attacker’s DNS servers (rather than your ISPs) for the IP address of Google and will accept any IP address those servers’ responds with.

The router will then pass the address it was given to your web browser which then displays the page for you. Since this IP address has been deliberately chosen by the attacker, the website could be a phishing site (or any other site of the attacker’s choice) which could (to continue the above example) try to steal your Google account credentials or perform other malicious actions. More details on approximately how many users have been impacted by this attack are available in this blog post. Protocols such as DNSSEC were designed to prevent such tampering but unfortunately its use is not yet very widespread.

The name given to this type of attack where your DNS settings are changed without your permission is known as “pharming”.

How I can defend against this attack?
In order to protect against this issue I would recommend a similar approach to the NetUSB flaw that I previously discussed namely monitoring the relevant websites of your routers’ manufacturer for firmware updates that address a CSRF flaw. Please follow the steps provided by your router manufacturer to apply the relevant updates.

In addition, it is recommended to have the most recent firmware for your router already installed (especially if it contains fixes for already known security vulnerabilities). As mentioned above, the attack tries to exploit older known flaws and assumes you haven’t updated your router.

My home router is an Asus router from mid-2013. I already have the most recent firmware from January 2015 installed (which fixed 2 security issues, one was a CSRF flaw). However it’s unclear if Asus still supports my router or will release a fix for this issue. Upon contacting Asus support, they said they couldn’t disclose the answers to either question. Based on this uncertainty it may be time for me to consider a newer model of router from Asus.

In order to avoid the CSRF technique being able to access your router, you can specify that a single IP address is only allowed to access your router’s settings page (unfortunately not all routers have this capability). Thus the routers admin page would only be accessible from that address. Thus to access your router you would first need to change your computers/devices IP address to the address you have chosen and then login to your router, the CSRF attack would not be able to do this. When you are completed accessing your router’s admin page you would change your devices IP address back to its default (commonly used) address (which would block any unauthorized access).

To check that the DNS servers of your router are legitimate and working as expected, Kafeine in her/his blog post mentioned 2 tools used to check your routers DNS settings. I don’t own an Android device to install the Android app but used the web based F-Secure tool, it showed that my DNS servers are still set to my ISPs servers. I had already verified this since I had manually checked the DNS settings of my router, found the 2 IP addresses being used for DNS lookups and entered the addresses into Domaintools Whois lookup. The company names that were displayed matched those of my ISP. However F-Secure’s tool is very easy to use and much quicker than my manual method mentioned above.

Thank you.