5

Recently there were around 70 vulnerabilities found within Western Digital's "My Cloud" devices. I am curious to know more about the scope of these vulnerabilities. All of the vulnerabilities have been listed by Eploitee.rs here.

There they talk about how to bypass the login and gain administrative rights for the drive. My question is, can this extend beyond the drive itself? If the drive was hooked up to computers on the network, would that allow the intruder to then access files on a computer that is hooked up to the drive, or is this limited to files that are on the drive?

I guess the way I could see someone using it to gain access to other computers in the network would be to upload some file with a trojan on it so that when someone would then access the drive on the network that trojan will now be visible on that computer.

What is the scope of these vulnerabilities? What are the network implications if the drive is compromised?

Anders
  • 64,406
  • 24
  • 178
  • 215
Adjit
  • 159
  • 4

2 Answers2

4

MyCloud is a service that runs on the NAS. The exploits documented on the site you link to allow three different things:

1) Bypass login and pose as a MyCloud administrator

2) Place files anywhere on the NAS

3) Execute commands on the NAS

These exploits are limited to the NAS device itself, but as you point out, once an attacker has gained access to the NAS, he can use that as a stepping stone into your home network / your connected devices.

For example, the ability to place any file he wants on the NAS allows him to place viruses, trojans and other malware on your NAS. Once you open the affected files on your other devices, they might become infected.

Having access to the NAS itself allows an attacker to spy on your unencrypted network traffic unless your network is very well protected against various spoofing techniques. For example, if you're using a local mail program to send and receive mail and you communicate with your mail server unencrypted, an attacker can potentially read (and change) all your incoming and outgoing e-mail.

The compromised NAS does NOT give an attacker immediate direct access to data sitting on devices that simply connect to the NAS via a file-exchange protocol such as SMB, NFS, FTP in order to use network storage. However, the NAS will (most likely) have an unfiltered view of the network services running on the devices in your home network. If, for example, you're using windows and you've enabled file sharing on all computers in your home network, this service will also be visible to an attacker sitting on the NAS.

Access to the NAS also gives an attacker access to the password database of the NAS. Depending on how well passwords are protected by the NAS software, this might allow an attacker to recover your passwords, and since it's not a stretch to assume that you reuse this password elsewhere, he could gain access to other services you use.

For these reasons, I would never ever run a cloud solution of one of the consumer grade NAS providers on my home network. If you really want to do that, you should at the very least put a firewall between the NAS and the rest of your home network. While this won't help against the NAS passively infecting your other devices with trojans, it will at least make actively attacking your other devices from the NAS, and spying on your network traffic from the NAS, much harder.

The firewall can also be used to deny any connections from the NAS into the internet (except the ones needed to do file sharing), which will help against your NAS being coopted as part of a botnet.

Out of Band
  • 9,150
  • 1
  • 21
  • 30
  • That's a great answer, I will definitely now consider setting up a firewall at home. I do have one quick follow up question... how would someone even connect to the NAS device to utilize these exploits? – Adjit Mar 10 '17 at 19:29
  • MyCloud is designed to give you access to your NAS/files from the internet. So once you've set up your internet box to allow access to the NAS from outside and enabled MyCloud, the MyCloud service becomes reachable - and exploitable - from the internet. You're safe as long as you disable My Cloud on the NAS, or disallow externally initiated connections to the NAS on your internet router. – Out of Band Mar 10 '17 at 19:51
1

I think it's worse than just switching the cloud parts off -- some of the vulnerabilities (just set a cookie to be classed as logged in, trust the supplied data for uploading a manual firmware update) I think mean visiting a malicious website could request the MyCloud to upload and install an update of the attacker's choosing. It might be the firewall would stop this, but since it's ultimately a machine inside the LAN that makes the request to the MyCloud (victim accesses website X, X says some resource it needs is on the MyCloud (requested in such a way the upload gets triggered), victim's browser requests it), it might not. Hopefully I'm missing something--is an attack on these lines possible? Or is too little knowledge being dangerous and making me worry unnecessarily..?

Jonathan
  • 23
  • 4