Vulnerabilities in Cloud Device
Thursday, September 24, 2015 @ 06:09 PM gHale
Western Digital is working on a fix for vulnerabilities in its My Cloud NAS (network attached storage) product, which can end up exploited by local and remote attackers to achieve root access to the device.
WD My Cloud is a private cloud environment hosted at home or at a small organization’s office, and a user can access it either from a desktop located on the same network or remotely, with a smartphone, from anywhere else in the world. Users can interact with it either via the administrative user interface or an application (that uses a RESTful API), said researchers at VerSprite.
The flaws researchers found affect firmware versions 04.01.03-421 and 04.01.04-422, and possibly earlier versions.
The first vulnerability permits remote command injection.
“Remote access is typically done through the client application, which is available for Windows, Mac, Android, and iPhone,” the researchers said in a blog post. “This client application is just a GUI front-end for the RESTful API mentioned before. VerSprite found that any authorized remote user of the device can remotely execute commands and steal files belonging to other users regardless of their permissions by abusing functionality within the RESTful api and the client applications. Worse yet, the attacking user will have root access to the NAS in a private internal network, so more can be at stake since an attacker can use this to pivot through the network.”
The client app is not the problem, the RESTful API is, as it fails to sanitize file names and attackers can simply include executable commands in them.
The only good news is the attackers must have authorized access to the device in order to perform the attack. Still, there is a way to effect this attack without having authorized access: The device provides a “Public” folder on the local network, and anyone who has access to it — even via the Internet — can place a file with a malicious executable name in it.
The execution of the command in the file’s name ends up triggered by an authenticated user navigating to this Public folder.
The second flaw affects the device’s Web app. It does not differentiate between genuine and forged HTTP requests, and this allows attackers to perform cross-site request forgery.
Until Western Digital releases the needed firmware updates, users should avoid clicking on links or downloading files from untrusted sources, always verify the authenticity of a login request before submitting credentials, disable WebRTC in their browsers, restrict access to the My Cloud device to only trusted users, disable remote access to the device (if possible), and to place the WD My Cloud device on a separate subnet, and behind a firewall.