A DNS configuration issue on a Western Digital (WD) server supporting the company’s My Cloud NAS products could have been exploited by malicious actors to gain access to potentially valuable user data. WD has taken steps to address the problem.
Security researcher John W. Garrett discovered that a WD nameserver hosted at oriondns2.wd2go.com was not configured properly, allowing what is known as a DNS zone transfer.
The Domain Name System (DNS), the system that maps host names to IP addresses, allows a DNS namespace to be divided into different zones, represented by files that contain all the records for a specific domain. Zone transfer is the process of copying the content of a zone file from a primary DNS server to a secondary server.
Since these zone files contain information that could be useful to an attacker, experts recommend disabling zone transfer for public DNS servers. If the nameserver, the web server that runs DNS software, is incorrectly configured, an attacker can conduct a zone transfer and gain access to the zone file.
Garrett told SecurityWeek that WD’s oriondns2.wd2go.com nameserver allowed for a zone transfer of wd2go.com, giving access to the domain’s zone file. The researcher found that the zone file contained over 5.9 million records, including more than 1.1 million unique IP addresses and associated hostnames belonging to WD My Cloud users.
According to Garrett, the fact that the zone file was accessible did not pose a major security risk on its own. However, the expert pointed out that the information would have been highly useful for a malicious actor looking to exploit a zero-day vulnerability in WD My Cloud products, as it provided the attacker a long list of vulnerable users.
“Taken into account with what will be typically stored on a device like this and you have an astronomical loss of pictures, private details, banking information, etc,” Garrett said.
WD said it corrected the configuration and eliminated the vulnerability within hours of being notified by the researcher. The same issue was also addressed on a second server.
The company said it scanned all of its servers to ensure that they are not exposed by similar issues, and reviewed the architecture and processes in place for modifying the configuration of nameservers.
“In addition, we performed an architecture and code review to measure the potential impact of other risks identified by the security report. Based on that review, we have prepared a balanced response that, in the event of detection of any active attacks, will mitigate those identified risks while minimizing potential disruptions to our customers,” WD said in an emailed statement.
Garrett also advised WD to release a software patch to change the hostname of each exposed device, but the vendor determined that the process introduces other problems that outweigh the security risks, especially since there is no evidence that someone other than the researcher accessed the zone file.
“We sincerely thank John W. Garrett for engaging Western Digital to responsibly disclose this concern in a manner that puts our customers and their security first. We highly value and encourage this kind of responsible community engagement and collaborative problem-solving because it ultimately benefits our customers by making our products better. We encourage all security researchers to report potential security vulnerabilities or concerns to WD Customer Service and Support,” WD said.
Many vulnerable servers in the wild
WD’s misconfigured nameserver is just one of the many identified by Garrett. The researcher said he scanned a total of 6.8 million domains and identified over 508,000 vulnerable domains and more than 130,000 vulnerable nameservers.
“The main theory is that if a given nameserver allows for zone file transfer for more than one host; odds are good that the nameserver is misconfigured and will give away zone files for all hosts it resolves for,” he explained.
Garrett harvested the zone files using a tool he developed. The dataset has been made available on the Internet-Wide Scan Data Repository (scans.io) hosted by the Censys Team at the University of Michigan.