The default configuration of Western Digital My Cloud EX2 network drives allows any unauthorised user on the local network to extract files by sending HTTP requests, according to security researchers.
Western Digital's My Cloud devices are storage/backup device that lets users backup and store important documents, photos and media files.
In a security advisory, researchers at Trustwave said that when the device is switched on, the UPnP-media server automatically starts, which by default allows any user who can send HTTP requests to the device to extract any files. Thus, it is possible to bypass any permissions or restrictions set by the owner or administrator of the device.
“It is possible to access files on the storage even when Public shares are
disabled. Specifically, anyone can issue HTTP requests to TMSContentDirectory/Control
on port 9000 passing various actions. The Browse action returns XML with URLs to
individual files on the device,” said researchers.
Researchers said that they had informed Western Digital about the problem in January of this year, but the manufacturer said that it will not release a patch. As a measure to prevent exploitation of the vulnerability, users are advised to disable DLNA if important data is stored on the device. Western Digital recommended that users follow this knowledge base article to turn off DLNA "if they do not wish to use the product feature."
Trustwave has also created a tool that users can utilise to test their own devices. It can be found here.
Jason Garbis, vice president at Cyxtera, told SC Media UK that like all network-attached devices, organisations need to engage with their information security teams prior to deploying this drive onto their network.
“Organisations of all sizes need to take a more proactive approach to network security and apply a zero-trust philosophy to their network. Once again, this vulnerability demonstrates that network access to a system – even without login credentials – is a privilege that must be managed. Today's networks are far too open, which is a root cause of the many successful attacks and breaches affecting the IT industry,” he said.
“With proper configuration, this device can be safely used. It should have the DLNA (UPnP) feature disabled, and ideally should have network access restricted to only authorised users. Deployed in its default configuration, this device exposes businesses to unnecessary risk of data breach, either to malicious insiders or external attackers.”
Earlier this year, another security researcher found a plethora of vulnerabilities, such as pre auth remote root code execution, as well as a hardcoded backdoor admin account which cannot be changed. The backdoor also allows for pre auth remote root code execution on the affected device. The backdoor allowed anyone log in as user mydlinkBRionyg with the password abc12345cba. Western Digital has since issued a fix for this problem. It can be found here.