WD My Cloud backdoor for everyone

The other day, a vulnerability was published in NAS devices from Western Digital. Or rather, a natural built-in backdoor, for which at the moment there is still no official patch.

The backdoor allows you to gain root access to devices simply by using a hard-wired login and password for many NAS solutions.

More details under the cut.

James Bercegay discovered the vulnerability in mid-2017, but after 6 months that WD had provided to fix the problem, the official patch was never released.

Details of the vulnerability and an exploit example were published on GulfTech on January 5, 2018.

An additional nuisance of the backdoor is that the username and password are hardcoded and cannot just be changed - anyone can use the “mydlinkBRionyg” admin login and the “abc12345cba” password to log into My Cloud and gain access to the shell, which frees up a lot of options unauthorized use. The situation should hit the company's reputation sensitively - overlooking such shortcomings in the production of network NAS solutions, the security of which WD writes a lot about (including on the hub) is very unprofessional.

If you think that your home NAS is not hanging open from an Internet, but is simply turned on at your local network, it can still be attacked through another user device (computer, tablet, phone). A user from his device can visit a website on which an attacker posted a specially generated HTML image or IFrame through which he can try to query devices on your local network using predictable host names and gain unauthorized access without even trying to attack you with active scanning.

Models that are vulnerable:

My Cloud Gen 2
My Cloud EX2
My Cloud EX2 Ultra
My Cloud PR2100
My Cloud PR4100
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud DL2100
My Cloud DL4100

Metasploit is publicly available - anyone can download it and use it to attack NAS devices. Yes, this is the very moment when the scripts are dangerous for each owner of the above models.

Until the manufacturer releases the patch and offers a fix for the vulnerability, it is recommended that you disconnect (or disable for the period of non-use) the devices in your LAN and block access to the Internet for them.

Update 1:

According to rumors, the November patch solves the problem, thanks FenrirR
Not Vulnerable:
MyCloud 04.X Series with MyCloud 2.30.174

But WD didn’t really spread about the existence of the problem, so many users did not update the firmware. For an up-to-date test, you should not just try entering a username and password, but rather use Metasploit.

Update 2:

Just the other day (January 9), an official article was published on the official blog of WD , in which they confirm the closure of this vulnerability with the update v2.30.172 .

In addition, it is reported that some models with firmware version 2.xx, except for My Cloud Home , may contain a vulnerability in Dashboard Cloud Access and port forwarding , which WD employees are working on, and the patch will be released in the near future. Up to this point, it is recommended to restrict access to LAN to trusted users and disable port forwarding.

Models that support Dashboard Cloud Access :
My Cloud EX2
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud EX2 Ultra
My Cloud DL2100
My Cloud DL4100
My Cloud PR2100
My Cloud PR4100
My Cloud Mirror
My Cloud Mirror Gen 2

And models with My Cloud Home do not contain such vulnerabilities, as they were architecturally developed from scratch, without legacy problems.