Password bug in cloud storage products allowed hackers remote access

Western Digital releases a hotfix one year after the vulnerability was discovered

Passwords protecting access to some cloud storage may have been rendered useless by a privilege escalation exploit that was discovered one whole year ago.

The bug, which can allow an attacker to bypass device security, was reported on two separate occasions to Western Digital, the company in question.

However the cloud storage providers only released a hotfix last week via Twitter.

Western Digital, a US manufacturer of hard disks, data storage, and cloud systems, was found to have an authentication bypass vulnerability throughout a series of its My Cloud home storage products, which allow consumers to easily connect their personal information across devices.

The disclosed vulnerability would allow an unauthorized person to “gain complete control” of the storage system remotely.

That’s according to Remco Vermeulen, a researcher who first discovered the issue by reverse engineering the server-side program on a My Cloud device.

“Whenever an admin authenticates, a server-side session is created that is bound to the user's IP address,” said Vermeulen, writing his findings in a blog post.

“After the session is created it is possible to call authenticated CGI [Common Gateway Interface] modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.”

Vermeulen said that an attacker could create a session without the necessarily permissions due to a piece of exploitable code.

“The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session tied to the IP address of the user making the request,” he said.

“Subsequent invocation of commands, that would normally require admin privileges, are now authorized if an attacker sets the username=admin cookie.”

When Vermeulen reported the issue to Western Digital in April 2017, he received no response.

Exploitee.rs, who discovered the same vulnerability independently, also said the company failed to acknowledge the issue when they reported it last year.

Vermeulen requested a CVE be assigned, and published his findings this month. This, along with media reports, prompted West Digital to release the hotfix.

Following the announcement, Vermeulen said: “Is it also possible to assign a single point of contact for future responsible disclosures?”

In January of this year, multiple vulnerabilities such as a remote code execution flaw were found present throughout Western Digital products, which were subsequently patched, but have left users and researchers alike less than confident about My Cloud security.