Western Digital My Cloud suffers authentication vulnerability

Western Digital My cloud products exhibit an authentication bypass type vulnerability. A malicious person can gain administrator access to the hard drive through the web portal without using the password, giving them full control over the My Cloud service.

Western Digital My Cloud, Western Digital My Cloud suffers authentication vulnerability, Optocrypto

In Exploitee.rs, they independently spotted and discovered the same vulnerability. This vulnerability was successfully verified in a WD My Cloud model WDBCTL0020HWT with firmware 2.30.172. This problem is not limited to the model that found the vulnerability, as most My Cloud products use the same code, i.e. they are the most vulnerable.

When an administrator is authenticated, a server-side session is created that is linked to the user’s IP. Once the session is established, it is possible to call the authenticated CGI modules by sending the cookie “username=admin” in the HTTP message. The called CGI checks whether a valid session has been found and associated with the IP.

It has been discovered that it is possible for an unauthenticated attacker to create a valid session without requiring authentication.

Western Digital has not yet been able to fix this crucial vulnerability.