A vulnerability in Western Digital My Cloud network-attached storage (NAS) that allows an attacker to bypass authentication and take control of the device with administrator permissions remains unpatched almost a year and a half after being reported initially.
The security bug, which received the identification number CVE-2018-17153 on Tuesday, was discovered by security researcher Remco Vermeulen at Securify on April 9, 2017, and reported to Western Digital the next day.
The researcher tested the flaw on a Western Digital My Cloud model WDBCTL0020HWT updated to firmware version 2.30.172. The problem is not limited to this model, though, because My Cloud products share the same code.
Exploiting the vulnerability
The authentication process to a My Cloud device generates a server-side session that is bound to the user’s IP address. After this step, authenticated CGI modules can be called by sending the cookie ‘username=admin’ in an HTTP request.
“It was found that it is possible for an unauthenticated attacker to create a valid session without requiring to authenticate. The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1,” Vermeulen explains.
If the attacker sets the ‘username=admin’ cookie, they get admin-level access to the device.
The researcher published a proof-of-concept code and detailed the steps to get control over a My Cloud NAS.
An attacker has first to set an admin session bound to their IP address.