[Update] The Western Digital My Cloud range of storage devices, ranging from consumer products with up to 16TB storage (My Cloud Mirror) to business devices with up to 32TB storage (My Cloud Pro and My Cloud Expert) contain multiple firmware vulnerabilities that can be exploited remotely.
Bugs reported by Zenofex of Exploiteers comprise of a login bypass, an arbitrary file write, 13 unauthenticated command execution bugs, and 70 authentication required bugs. The authentication required bugs can be reached via the login bypass bug.
In a blog posted on Saturday, Zenofex explains that he was analyzing a bug that had separately been found and reported (with others) to Western Digital by ESET researcher Kacper Szurek. In January, Szurek reported that on 1 January 2017, Western Digital told him the issue had been fixed.
Meanwhile, Securify also issued an advisory on the same authentication bypass bug. The timeline is very similar to Szurek's but quotes a different firmware release to fix the bug -- and laments that it had not been informed by Western Digital that the bug had been fixed.
Zenofex does not quote firmware release numbers. He merely wrote on Saturday that in patching the old bug, Western Digital had introduced a new one with the very same consequences into its latest firmware. Western Digital 'fixed' the old cookie-based vulnerability by adding a new "wto_check()" function. The problem here, says Zenofex, "is the incorrect use of the PHP method "escapeshellcmd()" which, in its intended usage, handles an entire command string, and not just an argument... Because of this," he adds, "instead of actually checking if the user is logged in, we can add new arguments and log the user in ourselves."
Once the attacker has logged on, he can exploit any one of many unsanitized CGI scripts. Instead of being properly sanitized, they appear to rely on only being accessible to an authenticated user -- which cannot be guaranteed because of the authentication bypass vulnerability. "This basic pattern resulting in a command injection vulnerability is used multiple times within the many scripts used by the web interface," comments Zenofex. "Also, it is important to note that all commands executed through the web interface are done so as the user the web-server is running as, which, in this case is root."
Users of My Cloud products should note that these are effectively zero-day vulnerabilities with published exploits. Zenofex explained that he has little confidence in Western Digital's willingness to patch the faults rapidly. He pointed out that Szurek mentioned a second bug -- a remote root execution vulnerability as well as the authentication bypass. "Although the reported authentication bypass vulnerability was 'patched'," Zenofex told SecurityWeek, "the fact that the more dangerous of the two bugs has been left unfixed does not give us confidence in the manufacturer."
To this he adds Western Digital's Pwnie award for the Lamest Vendor Response at last summer's Vegas BlackHat. This followed the 2015 discovery that Western Digital's 32-bit encryption key was actually a 4-bit key repeated eight times -- making it very weak. A Western Digital spokesperson said at the time, "We continue to evaluate the observations."
This, Zenofex told SecurityWeek, "eliminates the confidence we have in regards to a manufacturer's ability to properly triage and fix vulnerabilities in their code. It's also important to note that in all our previous research on consumer devices, until researching the My Cloud, we hadn't come across an administrator interface with as many severe security vulnerabilities as that found through our research in this product. To us this signifies a code base that had not properly been audited prior to its use within a retail product as well as programmers who are unaware of safe programming practices."
This is not the first time that exploiteers have found bugs in patched code. Patches to Samsung SmartCams were revealed in January to be incomplete.
Exploiteers started life in 2011 as GTVHacker, with, explained Zenofex, "the intention to help unlock devices within the GoogleTV platform. These GoogleTV devices were being created by manufacturers and came locked to a specific configuration. The devices would then be abandoned shortly after their launch causing the consumer to buy a new device, sending the old one to the landfill. Our goal was to give the consumers the ability to unlock their devices and repurpose them, preventing the need to purchase another. A few years after our conception, the GoogleTV platform died and we renamed ourselves 'Exploitee.rs'. This fits our new mission statement: hacking everything and therefore creating a better state for online devices."
Western Digital has provided a lengthy comment on the exploiteers' disclosure, which is reproduced in full below. It starts by demonstrating that the company is able to work with researchers within the framework of responsible disclosure, and then says that exploiteers should have done the same and could have been told that the vulnerabilities were already known and in process of being fixed.
Western Digital comment:
Western Digital is aware of recent reporting of vulnerabilities in its My Cloud family of products, including related to vulnerabilities previously reported by Steven Campbell that were addressed with the firmware update made available on December 20, 2016. We are reviewing the recent exploitee.rs report and based on a preliminary evaluation, a change to address one exploitee.rs reported issue has already been made in the December update. Additionally, if we determine the report has identified any new issues, we will address those soon based on the severity of the issues, the existence, if any, of ongoing attacks, and the potential customer disruption of an unscheduled update. We recommend My Cloud users contact our Customer Service team at https://support.wdc.com/support/case.aspx if they have further questions; find firmware updates at https://support.wdc.com/downloads.aspx?lang=en#firmware; and ensure their My Cloud devices are set to enable automatic firmware updates.
Western Digital appreciates and encourages disclosure of potential vulnerabilities uncovered by security researchers such as Steven Campbell under the responsible disclosure model practiced by the security community. This balanced model acknowledges the contributions of security researchers, allows Western Digital to properly investigate and resolve concerns, and most importantly protects our customers from disclosure of exploits before a patch is available. As evidenced by our work with various researchers such as Steven Campbell, Versprite and others, we work closely with the security community to address issues and safely meet our customers' needs. If exploitee.rs had followed this model as other security researchers have and contacted us with that spirit in mind prior to publishing their report, they would have known of our current work and progress toward a resolution in this case.
However, SEC Consult today issued its own advisory on Western Digital vulnerabilities. It reported similar vulnerabilities as those disclosed by exploiteers to Western Digital on January 18; but it wasn't until 16 February that Western Digital requested the full vulnerability advisory from SEC Consult.
On February 21, Western Digital requested 90 days (standard responsible disclosure period) to fix the bugs before public disclosure. SEC Consult declined, saying the 90 days would run from January 18. It adds that because of exploiteers' subsequent disclosure, there is no longer any reason to keep quiet, and has now issued its own advisory.
The timeline to this advisory is particularly interesting. SEC Consult asked for a security contact, but was told by Western Digital, "we don't have a security department that we could forward this concern". When asked to forward the advisory details to Western Digital, SEC Consult asked for "encryption information to send advisory." Western Digital asked for the details to be sent unencrypted, and on 20 February, SEC Consult "provided advisory and proof of concept through insecure channel as requested."
*Updated with statement from Western Digital and additional deatils