Consumers who use a Western Digital My Cloud for data backups should unplug their units for the time being due to a series of unpatched vulnerabilities.
On 7 March, the SEC Consult Vulnerability Lab disclosed vulnerabilities affecting the WD My Cloud private personal data storage unit. As it explains in an advisory:
“The firmware doesn’t apply proper validation on many user inputs. As a result, below vulnerabilities could be exploited by unauthenticated attackers to fully compromise the device.”
For instance, unauthenticated attackers could use a cURL request to upload a malicious file into the web server. They could then use the file to execute an arbitrary OS command, an attack vector which could grant them full control over the unit.
But that’s not all. The firmware for WD My Cloud doesn’t come with a mechanism designed to protect against cross-site request forgery attacks. Meaning? Any attacker can exploit any action via any script, including uploading a malicious file or executing an arbitrary OS command over the Internet.
Getting the picture?
Below is a video demonstration of the exploits to drive home the point.
SEC Consult originally reported the vulnerabilities to WD on 18 January 2017. What followed was a lot of back and forth, including WD telling the vulnerability lab the following: “we don’t have a security department that we could forward this concern”.
The affected vendor ultimately requested SEC Consult to provide them with a disclosure extension. But an outside security researcher known as “Zenofex” interrupted this arrangement when they published their own findings about My Cloud, including many of the lab’s findings.
In their analysis of the flaws, Zenofex explains why it decided to not abide by responsible disclosure:
“At Exploitee.rs, we normally attempt to work with vendors to ensure that vulnerabilities are properly released. However, after visiting the Pwnie Awards at the last BlackHat Vegas, we learned of the vendor’s reputation within the community. In particular, this vendor won a ‘Pwnie for Lamest Vendor Response’ in a situation where the vendor ignored the severity of a set of bugs reported to them. Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure is worked out. Instead we’re attempting to alert the community of the flaws and hoping that users remove their devices from any public facing portions of their networks, limiting access wherever possible. Through this process, we’re fully disclosing all of our research and hoping that this expedites the patches to users’ devices.”
Ouch. Nothing like a bit of notoriety to sour some security researchers.
Here at Graham Cluley Security News, we encourage all security researchers to do their best to abide by responsible disclosure. We all know that doesn’t always work out. But it’s the effort that counts.
Even so, acknowledging the vendor’s record, we stand by SEC Consult’s advice to WD My Cloud users: DON’T attach the unit to a network until Western Digital has resolved the security issues outlined above.