Western Digital My Cloud Cross Site Request Forgery
Posted on 30 November -0001
<HTML><HEAD><TITLE>Western Digital My Cloud Cross Site Request Forgery</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>------------------------------------------------------------------------ Western Digital My Cloud vulnerable to Cross-Site Request Forgery vulnerability ------------------------------------------------------------------------ Remco Vermeulen, January 2017 ------------------------------------------------------------------------ Abstract ------------------------------------------------------------------------ It was discovered that the Western Digital My Cloud is affected by Cross-Site Request Forgery. This issue can be combined with a command injection vulnerability (see advisory SFY201703) to gain complete control (root access) of the affected device. ------------------------------------------------------------------------ See also ------------------------------------------------------------------------ - https://securify.nl/advisory/SFY20170102/authentication_bypass_vulnerability_in_western_digital_my_cloud.html - https://securify.nl/advisory/SFY20170103/western_digital_my_cloud_vulnerable_to_multiple_command_injection_vulnerabilities.html ------------------------------------------------------------------------ Tested versions ------------------------------------------------------------------------ This issue was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.21.126. The issue isn't limited to the used model since most of the products in the My Cloud series share the same (vulnerable) code. ------------------------------------------------------------------------ Fix ------------------------------------------------------------------------ There is currently no fix available. ------------------------------------------------------------------------ Details ------------------------------------------------------------------------ https://www.securify.nl/advisory/SFY20170104/western_digital_my_cloud_vulnerable_to_cross_site_request_forgery_vulnerability.html Western Digital My Cloud is a low-cost entry-level network-attached storage device. It was discovered that the Western Digital My Cloud is affected by Cross-Site Request Forgery. When combined with command injection (see advisory SFY201703) this issue allows an attacker to gain complete control (root access) of the affected device. This issue exists due to the fact that the My Cloud device lacks protection against Cross-Site Request Forgery attacks. In order to exploit this vulnerability, an attacker has to lure an authenticated My Cloud device user (some command injections require an admin user whereas others also allow users with fewer privileges) into executing a malicious link crafted to exploit a command injection in a vulnerable My Cloud device. </BODY></HTML>