Western Digital My Cloud can be accessed with admin privileges via an HTTPS request.

 

The Western Digital My Cloud platform can be accessed by cyberattackers that could gain admin-level privileges just with a special created HTTP request.

Researchers at vulnerability shop Security say the vulnerability, tracked as CVE-2018-17153, would allow a cyber attacker with network access to the device to bypass the login controls and create a session with admin privileges.

A cyber attacker would gain full control over the NAS devices, including the ability to view and copy all stored data as well as overwrite and erase contents.

According to Securify, the vulnerability creates admin sessions that are attached to an IP address. At the time an attacker sends a CGI call to the device (as an HTTP request) they can also include a cookie containing the cookie username=admin.

If properly constructed, the request would then establish an admin login session to the device without ever asking for a password.

“The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1,” Securify explains.

“Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie.”

 

The researchers have also posted a proof of concept (POC) that shows how the bug could be targeted with a few lines of code.

POST /cgi-bin/network_mgr.cgi HTTP/1.1
Host: wdmycloud.local
Content-Type: application/x-www-form-urlencoded
Cookie: username=admin
Content-Length: 23

cmd=cgi_get_ipv6&flag=1

 

Securify says it reported the vulnerability to Western Digital back in April, but did not receive a response. Now, some five months later, they are finally disclosing the bug.

Western Digital did not return a Reg request for comment on the matter.