Hardcoded backdoor in 12 Western Digital My Cloud NAS devices

Oh good, there’s a plethora of vulnerabilities, including a hardcoded backdoor, in 12 Western Digital My Cloud network storage devices. If you have one, then you need to update the firmware ASAP, unless you actually want anyone at all across the globe being able to log into yours as user “mydlinkBRionyg” with the password “abc12345cba”. The hardcoded backdoor administration account credentials cannot be changed; it can be removed by installing new firmware.

Gulftech security researcher James Bercegay informed Western Digital of multiple, easy-to-exploit flaws back in June 2017. Western Digital requested the standard 90 days before full disclosure. Yet more than six months went by without the company issuing fixes, so Bercegay published the details. That was enough to spur Western Digital to issues patches for the remote access bugs.

The devices are fairly popular, even listed as the bestselling network-attached storage (NAS) on Amazon. If an attacker were to use the hardcoded credentials in the firmware to log into a user’s device, then he or she could issue rogue commands as root to the My Cloud device.

Another vulnerability that was easy to exploit would allow an attacker to upload files to the device and give them control over the device’s data.

Regarding the remote exploitation, Bercegay wrote:

The triviality of exploiting these issues makes it very dangerous, and even wormable. Not only that, but users locked to a LAN are not safe either. An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag make a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as “wdmycloud” and “wdmycloudmirror” etc.

He then gave a link example, saying that just by visiting the link, it would “totally destroy a WDMyCloud without the need for any type of authentication whatsoever, and there is nothing you can do about it except delete the file as the credentials are hardcoded into the binary itself.”

Besides the critical vulnerabilities, Gulftech also found other flaws, such as cross-site request forgery (CSRF), command injection, denial-of-service and information disclosure.

Affected Western Digital My Cloud devices

Bercegay said the following models are vulnerable: MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.

The fix for the critical vulnerabilities is to upgrade the firmware to version 2.30.174.

D-Link username for WD’s My Cloud devices

As you likely noticed, the hardcoded admin account username “mydlinkBRionyg” includes “dlink.” After some research into a D-Link device, Bercegay noted that it “became pretty clear to me, as the D-Link DNS-320L had the same exact hardcoded backdoor and same exact file upload vulnerability that was present within the WDMyCloud. So, it seems that the WDMyCloud software shares a large amount of the D-Link DNS-320L code, backdoor and all.”

However, the D-Link DNS-320L is “not vulnerable to the backdoor and file upload issues.” That backdoor was removed in a firmware released in July 2014.