Home Hacking News Authentication Bypass Vulnerability Disclosed in Western Digital My Cloud NAS Devices

Authentication Bypass Vulnerability Disclosed in Western Digital My Cloud NAS Devices

by Harikrishna Mekala

Security Researchers at Securify have found an elevation of privilege vulnerability in the WD MyCloud platform which can be exploited by attackers to get admin-level access to devices using only a HTTP request. The flaw was given an ID of CVE-2018-17153. The flaw allows an unauthenticated attacker with network access to authenticate as an admin without the need for a password.

How can the Hacker access the data?

The Bad Actor can easily run the commands to access the content on the Drive.

“It was found that the Western Digital My Cloud is affected by an authentication bypass vulnerability that allows an unauthenticated user to create an admin session that is tied to their IP address.” reads the report published by Securify.

Where is the vulnerability?

The vulnerability currently resides in the process of the creation of an admin session which is implemented by the MyCloud devices that are bound to a user’s Ip address. When the session is created it is easy to call an authenticated method by simply sending the cookie of  a known username to the WD MyCloud with an HTTP request, the CGI then checks if the valid session is present and will simply provide access to the attacker.

“It was found that it is possible for an unauthenticated attacker to create a valid session without requiring to authenticate.” continues Securify.

“The network_mgr.cgi CGI module includes a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1. Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie.”

Experts have also published the PoC code for the WD MyCloud hack which is as follows:

POST /cgi-bin/network_mgr.cgi HTTP/1.1
Host: wdmycloud.local
Content-Type: application/x-www-form-urlencoded
Cookie: username=admin
Content-Length: 23

cmd=cgi_get_ipv6&flag=1

The Security Company has reported the vulnerability to WD in April but the company is still yet to reply.

Take your time to comment on this article.

You may also like