[ale] [Fwd: [FD] Western Digital My Cloud vulnerable to multiple command injection vulnerabilities]

Tue Mar 7 12:44:06 EST 2017

Great...  I have one of these and absolutely love it. I do not have UPnP
enabled on my network and my MyCloud is behind a very restrictive firewall.

Thanks for all of the links.  The MyCloud is a mini-Debian system:

HomeCloud:~# cat /etc/issue
Debian GNU/Linux 7 \n \l

Curious to dig into the vulnerability and find a way to close the holes...

/Raj

-----Original Message-----
From: ale-bounces at ale.org [mailto:ale-bounces at ale.org] On Behalf Of Joey
Kelly
Sent: Tuesday, March 7, 2017 10:28 AM
To: ale at ale.org
Subject: [ale] [Fwd: [FD] Western Digital My Cloud vulnerable to multiple
command injection vulnerabilities]

Sigh...

---------------------------- Original Message ----------------------------
Subject: [FD] Western Digital My Cloud vulnerable to multiple command
injection vulnerabilities
From:    "Securify B.V." <lists at securify.nl>
Date:    Tue, March 7, 2017 9:41 am
To:      fulldisclosure at seclists.org
--------------------------------------------------------------------------

------------------------------------------------------------------------
Western Digital My Cloud vulnerable to multiple command injection
vulnerabilities
------------------------------------------------------------------------
Remco Vermeulen, January 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the Western Digital My Cloud is affected by multiple
command injection vulnerabilities. Some of these issues don't require
authentication and allow an attacker to gain complete control (root access)
of the affected device. Some do require authentication, in this case an
attacker can use Cross-Site Request Forgery (CSRF, see advisory SFY20170104)
or authentication bypass (see advisory
SFY20170102) and still gain complete control of the vulnerable Western
Digital device.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
-
https://security.szurek.pl/wd-my-cloud-mirror-211153-rce-and-authentication-
bypass.html
- https://blog.exploitee.rs/2017/hacking_wd_mycloud/
- https://www.exploitee.rs/index.php/Western_Digital_MyCloud
-
https://securify.nl/advisory/SFY20170102/authentication_bypass_vulnerability
_in_western_digital_my_cloud.html
-
https://securify.nl/advisory/SFY20170104/western_digital_my_cloud_vulnerable
_to_cross_site_request_forgery_vulnerability.html

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
These vulnerabilities were successfully verified on a Western Digital My
Cloud model WDBCTL0020HWT running firmware versions 2.21.119 and 2.21.126.
These issues aren't limited to the model that was used to find these
vulnerabilities since most of the products in the My Cloud series share the
same (vulnerable) code.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20170103/western_digital_my_cloud_vulner
able_to_multiple_command_injection_vulnerabilities.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

--
Joey Kelly
Minister of the Gospel and Linux Consultant http://joeykelly.net
504-239-6550
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo