WD MyCloud vulnerabilities revealed
Don’t panic – most owners would not have seen the recent silent firmware upgrade rolled out to all WD MyCloud devices that were connected to the internet. But if yours has not been upgraded access it via the MyCloud Dashboard software or website and search for updates.
Let me say that any internet connected device – routers, TVs, IoT and more are capable of remote hacking. WD is by no means alone here and worked with Trustwave to quickly address the issues. Synnology has just issued an advisory for its media server that allows remote attackers to conduct SQL injection attacks.
Note: If you do not use remote access (access files remotely via the internet) turn that feature off.
What MyCloud devices were affected
- My Cloud Gen 2
- My Cloud PR2100
- My Cloud PR4100
- My Cloud EX2 Ultra
- My Cloud EX2
- My Cloud EX4
- My Cloud EX2100
- My Cloud EX4100
- My Cloud DL2100
- My Cloud DL4100
- MyCloud 04.X Series
- MyCloud 2.30.174
- MyCloud Home series
Hardcoded back door
The first issue was that a programmer who worked on the MyCloud firmware hardcoded a backdoor password – this should never have happened.
CGI binary nas_sharing.cgi hardcodes username and password for an administrative user. This allows complete authorisation bypass. The Specific account name used is “mydlinkBRionyg”.
Arbitrary file deletion via the nas_sharing.cgi binary
CGI binary nas_sharing.cgi allows any user to delete any file from the device. Specific parameter name is “path”.
Arbitrary shell command execution via the nas_sharing.cgi binary
CGI binary nas_sharing.cgi allows any user execute shell commands as root. To exploit this issue, the “artist” parameter should be used.
Users may notice that after firmware updates the device may not be externally discoverable or that its DLNA functionality has been turned off. These can be reset in the WD dashboard management software.