Thursday, 9 March 2017

Buggy backups! Unplug your WD My Cloud until these flaws are fixed

Consumers who use a Western Digital My Cloud for data backups should unplug their units for the time being due to a series of unpatched vulnerabilities.

On 7 March, the SEC Consult Vulnerability Lab disclosed vulnerabilities affecting the WD My Cloud private personal data storage unit. As it explains in an advisory:

"The firmware doesn't apply proper validation on many user inputs. As a result, below vulnerabilities could be exploited by unauthenticated attackers to fully compromise the device."

For instance, unauthenticated attackers could use a cURL request to upload a malicious file into the web server. They could then use the file to execute an arbitrary OS command, an attack vector which could grant them full control over the unit.

But that's not all. The firmware for WD My Cloud doesn't come with a mechanism designed to protect against cross-site request forgery attacks. Meaning? Any attacker can exploit any action via any script, including uploading a malicious file or executing an arbitrary OS command over the Internet.