Advisory

Remco Vermeulen, January 2017

Western Digital My Cloud vulnerable to Cross-Site Request Forgery vulnerability

Abstract

It was discovered that the Western Digital My Cloud is affected by Cross-Site Request Forgery. This issue can be combined with a command injection vulnerability (see advisory SFY201703) to gain complete control (root access) of the affected device.

See also

- SFY20170102 - Authentication bypass vulnerability in Western Digital My Cloud
- SFY20170103 - Western Digital My Cloud vulnerable to multiple command injection vulnerabilities

Tested versions

This issue was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.21.126. The issue isn't limited to the used model since most of the products in the My Cloud series share the same (vulnerable) code.

Fix

There is currently no fix available.

Details

Western Digital My Cloud is a low-cost entry-level network-attached storage device. It was discovered that the Western Digital My Cloud is affected by Cross-Site Request Forgery. When combined with command injection (see advisory SFY201703) this issue allows an attacker to gain complete control (root access) of the affected device.

This issue exists due to the fact that the My Cloud device lacks protection against Cross-Site Request Forgery attacks. In order to exploit this vulnerability, an attacker has to lure an authenticated My Cloud device user (some command injections require an admin user whereas others also allow users with fewer privileges) into executing a malicious link crafted to exploit a command injection in a vulnerable My Cloud device.

Work with us →