Western Digital shuts remotely exploitable NAS backdoor

Users of Western Digital (WD) MyCloud network attached storage products are advised to update the firmware on the devices to close an admin account that can act as a backdoor for attackers.

Security vendor GulfTech discovered that a range of WD MyCloud NAS devices contain a hardcoded backdoor account that cannot be changed, and which allows for remote code execution.

The backdoor is incorporated into the Common Gateway Interface (CGI) Linux binary files that are accessible via the webserver on MyCloud devices.

GulfTech found the code for one CGI binary had an admin user named mydlinkBRionyg with the password abc12345cba hardcoded into it.

Exploiting the vulnerability is trivial, and allows attackers to run any commands as the root superuser, with full access to the entire NAS operating system.

It could be used to create internet worms running on the MyCloud devices, and even to wipe these by embedding commands into malicious web pages, GulfTech found.

Adding to the security woes, attackers can upload any files they want to vulnerable MyCloud devices, exploiting bugs in a PHP script running on the storage devices.

"Exploiting this issue to gain a remote shell as root is a rather trivial process. All an attacker has to do is send a post request that contains a file to upload using the parameter "Filedata[0]", a location for the file to be upload to which is specified within the "folder" parameter, and of course a bogus "Host" header," GulfTech wrote.

The MyCloud devices are also susceptible to cross-site request forgeries (XSRF), command injection, denial of service attacks and information disclosure leaks.

The vulnerable devices are listed as:

• MyCloud
• MyCloudMirror
• MyCloud Gen 2
• MyCloud PR2100
• MyCloud PR4100
• MyCloud EX2 Ultra
• MyCloud EX2
• MyCloud EX4
• MyCloud EX2100
• MyCloud EX4100
• MyCloud DL2100
• MyCloud DL4100

Version 2.30.174 of the MyCloud firmware released by WD fixes the vulnerabilities.