Breaking

Thursday, September 20, 2018

WD My Cloud NAS Boxes Can be Hacked Over The Internet, Claim Researchers

Miscreants can remotely gain full control of devices


Security researchers at Security have discovered a vulnerability on Western Digital’s My Cloud NAS boxes which can grant attackers complete control over their contents. The exploit requires either local network or internet access to a My Cloud device in order to be run and bypasses the NAS box's usual login requirements.

Called CVE-2018-17153, the bug could potentially also give hijackers the ability to run commands that would typically require administrative privileges. Once access has been gained, hackers can view, copy, delete or overwrite any files that are stored on the device.

Your cloud can be pwned

According to Security, "The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1. Subsequent invocation of commands that would normally require admin privileges is now authorized if an attacker sets the username=admin cookie."

Cutting through the jargon, that essentially means it’s the way WD My Cloud sets up an admin session connected to an IP address that raises the vulnerability. By simply adding the cookie username=admin to an HTTP CGI request sent via a local network or internet connection, anyone can gain access to the content stored on the NAS box.

Security raised the issue with Western Digital in April, when the flaw was first discovered, but never heard back from the company. After five months of silence from WD, Security has decided to publicly disclose the vulnerability.

We’ve contacted Western Digital for a comment and will update this page when we know more.



6 comments:

  1. Nice blog! Technology change time to time and technology change way of life.

    ReplyDelete
  2. Get Detailed information about all Top Engineering Colleges in Uttar Pradesh, also provide scholarship upto 50% and Free Career Guidance by College Disha

    ReplyDelete
  3. Stop worrying about your career prospects and opt the best engineering college via an online portal College Disha. College Disha provides a list of top engineering colleges according to their rank, Fees ,Placement and also provide scholarship for each and every student up to 50%. It will render you the best services by providing free career counselling.

    ReplyDelete
  4. Get Detailed information about all Top BCA Colleges in India, also provide scholarship upto 50% and Free Career Guidance by College Disha

    ReplyDelete
  5. Get Detailed information about all Top BBA Colleges in Uttar Pradesh 2019, also provide scholarship upto 50% and Free Career Guidance by College Disha

    ReplyDelete
  6. Very nice blog post.Really thank you! Much satisfied.

    ReplyDelete