Authentication Bypass Vulnerability In Western Digital My Cloud Allows Escalation To Admin Privileges
(Sep 18, 2018)
A vulnerability in the “My Cloud” devices from the storage solutions company, "Western Digital," was discovered. This vulnerability, registered as “CVE-2018-17153,” can allow for unauthorised actors to bypass authentication and register their activity on a specific IP address as an administrator. A threat actor could establish an administrator session using the “network_mgr.cgi CGI” module in the HTTP and set the IP address as an admin session that will allow the actor to bypass future authentication when logging into the device over the internet. This then allows the actor complete access over the device. At the current publication of the article, a patch has not been developed or released.
Recommendation: This vulnerability affects the My Cloud products (with the exception of “My Cloud Home”). Western Digital is in the process of creating a scheduled firmware update that will address the problem in the coming weeks. In the meantime a hotfix has been released and is available from this url for immediate download: https://support.wdc.com/knowledgebase/answer.aspx?ID=25952&s
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.