A number of My Cloud network-attached storage devices from Western Digital, including some models used by businesses, were found to contain an undocumented account that could allow attackers to take over the devices. The exact same account with the same hard-coded password existed in D-Link NAS devices in the past.
The backdoor account, which cannot be changed or removed by users, was one of several serious vulnerabilities found in the WD My Cloud firmware by security researcher James Bercegay. The researcher reported the flaws to Western Digital in June 2017 and made them public last week.
According to Bercegay, the vulnerable WD My Cloud devices are: MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100. Some of the issues were fixed in the My Cloud 2.30.174 firmware and the My Cloud 04.x series is not vulnerable.
The researcher initially found a remotely exploitable file upload vulnerability, which he claims was the result of the firmware developers misunderstanding the PHP gethostbyaddr() function. This flaw could be exploited to upload a shell to the web server of the affected device, allowing the execution of commands with root privileges.
Upon further investigation, the researcher also found a hard-coded account with the username mydlinkBRionyg in a CGI script. The hidden account could also be used by an attacker to execute commands as root by sending remote requests to nas_sharing.cgi file.
Even if the NAS device is not exposed to the internet, an attacker can still execute the exploit through cross-site request forgery (CSRF). This technique involves tricking a user connected to the same network as a vulnerable device into visiting a website with malicious code that sends an authorized request through their browser.
“The triviality of exploiting this issue makes it very dangerous, and even wormable,” Bercegay said in an advisory. “Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as ‘wdmycloud’ and ‘wdmycloudmirror’ etc.”
This is possible because, like many embedded devices, My Cloud boxes don’t have CSRF protections for their web interface. Attackers have used CSRF in large-scale attacks in the past to hack into routers.
The absence of CSRF protections means that even in the absence of backdoor accounts or other vulnerabilities, hackers can still attack devices by tricking logged-in admins into visiting a website and piggybacking on their authenticated sessions. Users rarely log out of the web interfaces of their routers or NAS boxes, so authenticated sessions might remain active in their browsers.
Bercegay also found other vulnerabilities in the WD My Cloud firmware, including a command injection issue, a denial-of-service flaw and an information disclosure bug. This is not the first time when researchers found command injection flaws in these devices, either.
The username of the hidden account, mydlinkBRionyg, and mentions to a file called mydlink.cgi in some other code made Bercegay wonder why would the firmware of Western Digital’s NAS products contain references to a competitor: D-Link. After some research, he found that My Cloud firmware shares a lot of code with a D-Link NAS product called DNS-320L ShareCenter. Not only that, but the DNS-320L ShareCenter firmware had the exact same backdoor account until July 2014, when it was removed in an update.
It’s not clear why these products share large portions of their firmware, but it’s not entirely uncommon in the complex ecosystem of embedded devices. It happens because vendors commonly outsource the manufacturing and even the firmware development to third-party OEMs.
In 2016, researchers found a root account with the same hard-coded password in digital video recorders from seven different vendors. A year before that, another researcher found a backdoor account in many brands of routers supplied by ISPs to customers, all of which had their firmware written by the same company in China.