The Western Digital My Cloud range of storage devices, ranging from consumer products with up to 16TB storage (My Cloud Mirror) to business devices with up to 32TB storage (My Cloud Pro and My Cloud Expert) contain multiple firmware vulnerabilities that can be exploited remotely.
Bugs reported by Zenofex of Exploiteers comprise of a login bypass, an arbitrary file write, 13 unauthenticated command execution bugs, and 70 authentication required bugs. The authentication required bugs can be reached via the login bypass bug.
In a blog posted on Saturday, Zenofex explains that he was analyzing a bug that had separately been found and reported (with others) to Western Digital by ESET researcher Kacper Szurek. In January, Szurek reported that on 1 January 2017, Western Digital told him the issue had been fixed.
Meanwhile, Securify also issued an advisory on the same authentication bypass bug. The timeline is very similar to Szurek’s but quotes a different firmware release to fix the bug — and laments that it had not been informed by Western Digital that the bug had been fixed.
Zenofex does not quote firmware release numbers. He merely wrote on Saturday that in patching the old bug, Western Digital had introduced a new one with the very same consequences into its latest firmware. Western Digital ‘fixed’ the old cookie-based vulnerability by adding a new “wto_check()” function. The problem here, says Zenofex, “is the incorrect use of the PHP method “escapeshellcmd()” which, in its intended usage, handles an entire command string, and not just an argument… Because of this,” he adds, “instead of actually checking if the user is logged in, we can add new arguments and log the user in ourselves.”
Once the attacker has logged on, he can exploit any one of many unsanitized CGI scripts. Instead of being properly sanitized, they appear to rely on only being accessible to an authenticated user — which cannot be guaranteed because of the authentication bypass vulnerability. “This basic pattern resulting in a command injection vulnerability is used multiple times within the many scripts used by the web interface,” comments Zenofex. “Also, it is important to note that all commands executed through the web interface are done so as the user the web-server is running as, which, in this case is root.”
Users of My Cloud products should note that these are effectively zero-day vulnerabilities with published exploits. Zenofex explained that he has little confidence in Western Digital’s willingness to patch the faults rapidly. He pointed out that Szurek mentioned a second bug — a remote root execution vulnerability as well as the authentication bypass. “Although the reported authentication bypass vulnerability was ‘patched’,” Zenofex told SecurityWeek, “the fact that the more dangerous of the two bugs has been left unfixed does not give us confidence in the manufacturer.”
To this he adds Western Digital’s Pwnie award for the Lamest Vendor Response at last summer’s Vegas BlackHat. This followed the 2015 discovery that Western Digital’s 32-bit encryption key was actually a 4-bit key repeated eight times — making it very weak. A Western Digital spokesperson said at the time, “We continue to evaluate the observations.”
This, Zenofex told SecurityWeek, “eliminates the confidence we have in regards to a manufacturer’s ability to properly triage and fix vulnerabilities in their code. It’s also important to note that in all our previous research on consumer devices, until researching the My Cloud, we hadn’t come across an administrator interface with as many severe security vulnerabilities as that found through our research in this product. To us this signifies a code base that had not properly been audited prior to its use within a retail product as well as programmers who are unaware of safe programming practices.”
This is not the first time that exploiteers have found bugs in patched code. Patches to Samsung SmartCams were revealed in January to be incomplete.
Exploiteers started life in 2011 as GTVHacker, with, explained Zenofex, “the intention to help unlock devices within the GoogleTV platform. These GoogleTV devices were being created by manufacturers and came locked to a specific configuration. The devices would then be abandoned shortly after their launch causing the consumer to buy a new device, sending the old one to the landfill. Our goal was to give the consumers the ability to unlock their devices and repurpose them, preventing the need to purchase another. A few years after our conception, the GoogleTV platform died and we renamed ourselves ‘Exploitee.rs’. This fits our new mission statement: hacking everything and therefore creating a better state for online devices.”
Western Digital has been invited to respond to Zenofex’s exploits and criticisms, and has promised to do so later today. We will update this article as soon as any response is received.
Source: SANS ISC SecNewsFeed @ March 6, 2017 at 12:45PM