Buggy backups! Unplug your WD My Cloud until these flaws are fixed

No timeline for a fix so far…

Buggy backups! Unplug your WD My Cloud until these flaws are fixed

Consumers who use a Western Digital My Cloud for data backups should unplug their units for the time being due to a series of unpatched vulnerabilities.

On 7 March, the SEC Consult Vulnerability Lab disclosed vulnerabilities affecting the WD My Cloud private personal data storage unit. As it explains in an advisory:

"The firmware doesn't apply proper validation on many user inputs. As a result, below vulnerabilities could be exploited by unauthenticated attackers to fully compromise the device."

For instance, unauthenticated attackers could use a cURL request to upload a malicious file into the web server. They could then use the file to execute an arbitrary OS command, an attack vector which could grant them full control over the unit.

But that's not all. The firmware for WD My Cloud doesn't come with a mechanism designed to protect against cross-site request forgery attacks. Meaning? Any attacker can exploit any action via any script, including uploading a malicious file or executing an arbitrary OS command over the Internet.

Getting the picture?

Below is a video demonstration of the exploits to drive home the point.

SEC Consult originally reported the vulnerabilities to WD on 18 January 2017. What followed was a lot of back and forth, including WD telling the vulnerability lab the following: "we don't have a security department that we could forward this concern".

The affected vendor ultimately requested SEC Consult to provide them with a disclosure extension. But an outside security researcher known as "Zenofex" interrupted this arrangement when they published their own findings about My Cloud, including many of the lab's findings.

In their analysis of the flaws, Zenofex explains why it decided to not abide by responsible disclosure:

"At Exploitee.rs, we normally attempt to work with vendors to ensure that vulnerabilities are properly released. However, after visiting the Pwnie Awards at the last BlackHat Vegas, we learned of the vendor’s reputation within the community. In particular, this vendor won a 'Pwnie for Lamest Vendor Response' in a situation where the vendor ignored the severity of a set of bugs reported to them. Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure is worked out. Instead we’re attempting to alert the community of the flaws and hoping that users remove their devices from any public facing portions of their networks, limiting access wherever possible. Through this process, we’re fully disclosing all of our research and hoping that this expedites the patches to users’ devices."

Ouch. Nothing like a bit of notoriety to sour some security researchers.

Here at Graham Cluley Security News, we encourage all security researchers to do their best to abide by responsible disclosure. We all know that doesn't always work out. But it's the effort that counts.

Even so, acknowledging the vendor's record, we stand by SEC Consult's advice to WD My Cloud users: DON'T attach the unit to a network until Western Digital has resolved the security issues outlined above.

Tags: , , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Listen now

Subscribe to the free GCHQ newsletter

, , , ,

5 Responses

  1. Jon

    March 9, 2017 at 8:37 am #

    If I understand it right, the problem isn't (just?) that the device is accessible from the internet, but that you could go to a malicious website which requests a local resource like http://wdmycloud/break_everything.

    Therefore, would changing the device's hostname help/fix this particular problem? Or is there a way for an attacker to get in even if the hostname is non-default (assuming it's not accessible from outside the LAN)?

    • Bob in reply to Jon.

      March 10, 2017 at 12:27 pm #

      Changing the hostname would make no difference as the port can be remotely sniffed.

      I'm not sure what you mean when you say "assuming it's not accessible from outside the LAN" because it's either accessible to your internet connected devices or it isn't. If one of your devices (which can access the drive) is connected to the internet then it's vulnerable. If the device isn't exposed to the internet at all (air-gapped) then you're safe.

      Software control (like a firewall) won't necessarily protect you therefore isolating the drive within the LAN may still leave your data vulnerable. Hardware control (e.g. data diodes, sluices etc.) will give a very good level of protection but you need real expertise in setting them up and they're extremely expensive – it'd be cheaper to buy a new hard drive instead.

      Therefore if any of your devices which can access your WD device connect to the internet then you should disconnect the WD drive if you want your data to be safe.

  2. Charlie

    March 11, 2017 at 8:04 pm #

    On version 2.x firmware the web server can be stopped by logging in as root over ssh and running the command

    lighty stop

    The unit carries on working as a NAS but without the web GUI.

    If you want to start the web server again run

    lighty_ssl

    • Charlie in reply to Charlie.

      March 12, 2017 at 12:13 pm #

      Unfortunately apache is restarted when the logs are rotated at 3am.

      One way of stopping this is to move httpd, so to disable:

      lighty stop
      mv /usr/sbin/httpd /usr/sbin/httpd.orig

      and to reenable

      mv /usr/sbin/httpd.orig /usr/sbin/httpd
      lighty_ssl

      Note also that THESE CHANGES ARE NOT PERSISTENT. So you have to disable httpd again if the system is rebooted. Do these mods at your own risk.

  3. Jon

    March 13, 2017 at 7:20 pm #

    Thanks for the useful input. Is it necessary to disable the whole web UI? My understanding was that disabling the MyCloud part will do (which is fine for usage just inside the LAN, no external access required), and ensuring the router blocks inbound connections.

    https://security.stackexchange.com/questions/153406/wd-my-cloud-vulnerabilities-what-is-at-risk/153408

    It might be that I've misunderstood and "MyCloud" does mean the whole web UI, but the comments suggest it's just a part.

    Is disabling all/part of the web UI sufficient as a safe alternative to Bob's "air gap" suggestion? I've noticed for example on an older version (mybooklive) the clock seems to lose time, so being able to see an NTP server is useful if outbound internet access can safely be kept.

    It might be that a command similar to these​ (for disabling the media service) will disable httpd until a firmware update, rather than just reboot:

    update-rc.d wdphotodbmergerd disable
    update-rc.d wdmcserverd disable

    Maybe put httpd in there? I can't try it currently.

Leave a Reply