#VU9871 Hidden functionality (backdoor) in WD My Cloud
Vulnerability identifier: #VU9871
Vulnerability risk: Critical
CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]
CVE-ID: N/A
CWE-ID:
CWE-912
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
WD My Cloud
Hardware solutions /
Office equipment, IP-phones, print servers
Vendor: Western Digital
Description
The vulnerability allows a remote attacker to gain unauthorized access to vulnerable device.
The vulnerability exists due to presence of a backdoor code (hard-coded account credentials) in firmware shared by WD My Cloud and D-LINK DNS-320L ShareCenter software. A remote attacker can send a specially crafted HTTP GET request to the affected device and gain unauthorized access to it.
Exploitation example:
GET /cgi-bin/nas_sharing.cgi?dbg=1&cmd=51&user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&start=1&count=1;touch+/tmp/gulftech; HTTP/1.1
where login is "mydlinkBRionyg" and password is "abc12345cba".
List of affected Western Digital devices:
MyCloud
MyCloudMirror
My Cloud Gen 2
My Cloud PR2100
My Cloud PR4100
My Cloud EX2 Ultra
My Cloud EX2
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud DL2100
My Cloud DL4100
My Cloud DL4100
Note: this vulnerability was updated according to GulfTech advisory. Vulnerability severity is raised to critical and this vulnerability is being treated as a zero-day.
Mitigation
Update to version 2.30.172.
Vulnerable software versions
WD My Cloud: 2.10.302 - 2.30.165
External links
https://support.wdc.com/download/notes/WD_My_Cloud_Firmware_Release_Notes_2.30.172.pdf?v=987
https://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
