Storage devices from one company contains multiple firmware vulnerabilities that could end up exploited remotely.
Western Digital My Cloud devices ranging from consumer products with up to 16TB storage (My Cloud Mirror) to business devices with up to 32TB storage (My Cloud Pro and My Cloud Expert) suffer from the issues.
RELATED STORIES
Cloudflare Patches Memory Leak
Metasploit Tool Finds Vulnerable Services
Microsoft Doubles Bug Rewards – For Now
Decryptor for MacOS Ransomware
A login bypass, an arbitrary file write, 13 unauthenticated command execution bugs, and 70 authentication required bugs ended up reported by Zenofex of Exploiteers.
The authentication required bugs can end up reached via the login bypass bug.
Zenofex said in a blog post he was analyzing a bug already found and reported (with others) to Western Digital by ESET researcher Kacper Szurek. In January, Szurek reported on Jan. 1, Western Digital told him they fixed the issue.
Meanwhile, Securify also issued an advisory on the same authentication bypass bug. The timeline is very similar to Szurek’s but quotes a different firmware release to fix the bug.
Zenofex does not quote firmware release numbers. He merely wrote that in patching the old bug, Western Digital had introduced a new one with the very same consequences into its latest firmware.
Western Digital “fixed” the old cookie-based vulnerability by adding a new “wto_check()” function. The problem here “is the incorrect use of the PHP method ‘escapeshellcmd()’ which, in its intended usage, handles an entire command string, and not just an argument… Because of this, instead of actually checking if the user is logged in, we can add new arguments and log the user in ourselves,” Zenofex said.
Once the attacker logs on, he or she can exploit any one of many unsanitized CGI scripts. Instead of proper sanitation, they appear to rely on only being accessible to an authenticated user — which cannot end up guaranteed because of the authentication bypass vulnerability.
“This basic pattern resulting in a command injection vulnerability is used multiple times within the many scripts used by the web interface,” Zenofex said. “Also, it is important to note that all commands executed through the web interface are done so as the user the web-server is running as, which, in this case is root.”
For users of My Cloud products, they are Zero Day vulnerabilities with published exploits.