Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2018-17153

Published: 18/09/2018 Updated: 28/07/2023
CVSS v2 Base Score: 10 | Impact Score: 10 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 1000
Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Subscribe to Western Digital

Vulnerability Summary

It exists that the Western Digital My Cloud device prior to 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated malicious user to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

western_digital my_cloud_wdbctl0020hwt_firmware

western_digital my_cloud_pr4100

western_digital my_cloud_pr2100_firmware

western_digital my_cloud_mirror_gen_2_firmware

western_digital my_cloud_mirror_firmware

western_digital my_cloud_ex4100

western_digital my_cloud_ex4_firmware

western_digital my_cloud_ex2100_firmware

western_digital my_cloud_ex2_ultra_firmware

western_digital my_cloud_ex2_firmware

western_digital my_cloud_dl4100_firmware

western_digital my_cloud_dl2100

Exploits

Exploit DB: Western Digital My Cloud Authentication Bypass
It was discovered that the Western Digital My Cloud is affected by an authentication bypass vulnerability An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the My Cloud device This vulnerability was successfully verified on a Western D ...
Exploit DB: Western Digital MyCloud Unauthenticated Command Injection
This Metasploit module exploits authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 230196 in order to achieve unauthenticated remote code execution as the root user The module first performs a check to see if the target is WD MyCloud If so, it attempts to trigger an au ...
Exploit DB: Western Digital MyCloud unauthenticated command injection
This module exploits authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 230196 in order to achieve unauthenticated remote code execution as the root user The module first performs a check to see if the target is WD MyCl ...

Metasploit Modules

Western Digital MyCloud unauthenticated command injection

This module exploits authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remote code execution as the root user. The module first performs a check to see if the target is WD MyCloud. If so, it attempts to trigger an authentication bypass (CVE-2018-17153) via a crafted GET request to /cgi-bin/network_mgr.cgi. If the server responds as expected, the module assesses the vulnerability status by attempting to exploit a commend injection vulnerability (CVE-2016-10108) in order to print a random string via the echo command. This is done via a crafted POST request to /web/google_analytics.php. If the server is vulnerable, the same command injection vector is leveraged to execute the payload. This module has been successfully tested against Western Digital MyCloud version 2.30.183. Note: based on the available disclosures, it seems that the command injection vector (CVE-2016-10108) might be exploitable without the authentication bypass (CVE-2018-17153) on versions before 2.21.126. The obtained results on 2.30.183 imply that the patch for CVE-2016-10108 did not actually remove the command injection vector, but only prevented unauthenticated access to it.

msf > use exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection
msf exploit(wd_mycloud_unauthenticated_cmd_injection) > show targets
    ...targets...
msf exploit(wd_mycloud_unauthenticated_cmd_injection) > set TARGET < target-id >
msf exploit(wd_mycloud_unauthenticated_cmd_injection) > show options
    ...show and set options...
msf exploit(wd_mycloud_unauthenticated_cmd_injection) > exploit

Recent Articles

'I am admin' bug turns WD's My Cloud boxes into Everyone's Cloud
The Register • Shaun Nichols in San Francisco • 18 Sep 2018

Western Digital NAS machines vulnerable to hijacking via HTTP cookies

Miscreants can potentially gain admin-level control over Western Digital's My Cloud gear via an HTTP request over the network or internet. Researchers at infosec shop Securify revealed today the vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass password checks and login with admin privileges. This would, in turn, give the scumbag full control over the NAS device, including the ability to view and copy all stored data as...

Read more...

References

CWE-287https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.htmlhttp://www.securityfocus.com/bid/105359https://support.wdc.com/knowledgebase/answer.aspx?ID=25952http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.htmlhttps://nvd.nist.govhttps://www.theregister.co.uk/2018/09/18/remote_access_vulnerability_western_digital_my_cloud/https://www.rapid7.com/db/modules/exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection/
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-4040privilege escalationCVE-2024-4112CVE-2024-32872man-in-the-middleCVE-2024-32788bypassCVE-2024-3400CVE-2024-28976
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook