Why it matters: The matter of data privacy and security rears its ugly head every time a hardware vendor refuses to acknowledge or take notice of exploits which compromise their customers' data. While customer data is exposed, no one is minding the store. This time, despite a number of reports to WD, a glaring one year-old vulnerability is yet to be patched.
A critical security flaw in Western Digital's popular My Cloud family of NAS devices allows hackers to gain full access to the devices' contents. Remco Vermeulen, a Dutch security researcher has just published a report on this well-known privilege escalation attack for MyCloud devices, but only after having tried to address the issue with Western Digital and getting nothing but hot air.
The "authentication bypass vulnerability", he said, grants an attacker access to admin privileges, before logging into the device. This allows the attacker to create a reverse shell, giving them access to the user's files on the drive(s). The vulnerability is present even on a remote connection via the internet, if the owner of the device has previously enabled remote access.
The same security researcher states he had previously disclosed details on other attacks which, to date, WD has not bothered to patch in its firmware updates.
I recorded a poc showing how a user's browser can be abused to attack the #MyCloud that is only accessible on the local network. It chains the privilege escalation with a post auth command injection to create a reverse shell. pic.twitter.com/eTRtlIlVRN
--- Remco Vermeulen (@RemcoVermeulen) September 18, 2018
The fact has been corroborated by Exploitee.rs who said they'd also reported the same vulnerability and even documented the entire process.
Western Digital's My Cloud series of devices are notoriously vulnerable with a number of attacks being reported several times in the media. The problem, however, remains.
In the last few hours, WD's crack team of engineers has replied to the public disclosure and stated they are working on a "scheduled firmware update that will resolve the issue," and advised customers to reach out to their support team. The hardware vendor has recognized, in a blog post, that a number of its devices which use the Dashboard Cloud Access remain vulnerable to the exploit, including the My Cloud EX2, EX4, Mirror, PR2100, PR4100 among others. You can find a full list here.
To be fair, WD is not the first, and will not be the last hardware vendor to market products with glaring vulnerabilities, but it stands to reason that there be a time limit on patching up the leaky sieve once it's been reported.