Vulnerability Description
It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Western Digital | My Cloud Wdbctl0020Hwt Firmware | < 2.30.196 |
| Western Digital | My Cloud Wdbctl0020Hwt | All versions |
| Western Digital | My Cloud Pr4100 | < 2.30.196 |
| Western Digital | My Cloud Pr2100 Firmware | < 2.30.196 |
| Western Digital | My Cloud Pr2100 | - |
| Western Digital | My Cloud Mirror Gen 2 Firmware | < 2.30.196 |
| Western Digital | My Cloud Mirror Gen 2 | - |
| Western Digital | My Cloud Mirror Firmware | < 2.30.196 |
| Western Digital | My Cloud Mirror | - |
| Western Digital | My Cloud Ex4100 | < 2.30.196 |
| Western Digital | My Cloud Ex4 Firmware | < 2.30.196 |
| Western Digital | My Cloud Ex4 | - |
| Western Digital | My Cloud Ex2100 Firmware | < 2.30.196 |
| Western Digital | My Cloud Ex2100 | - |
| Western Digital | My Cloud Ex2 Ultra Firmware | < 2.30.196 |
| Western Digital | My Cloud Ex2 Ultra | - |
| Western Digital | My Cloud Ex2 Firmware | < 2.30.196 |
| Western Digital | My Cloud Ex2 | - |
| Western Digital | My Cloud Dl4100 Firmware | < 2.30.196 |
| Western Digital | My Cloud Dl4100 | - |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthentica
- http://www.securityfocus.com/bid/105359Third Party AdvisoryVDB Entry
- https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-ExploitThird Party Advisory
- https://support.wdc.com/knowledgebase/answer.aspx?ID=25952Third Party Advisory
- http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthentica
- http://www.securityfocus.com/bid/105359Third Party AdvisoryVDB Entry
- https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-ExploitThird Party Advisory
- https://support.wdc.com/knowledgebase/answer.aspx?ID=25952Third Party Advisory
FAQ
What is CVE-2018-17153?
CVE-2018-17153 is a vulnerability with a CVSS score of 9.8 (CRITICAL). It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenti...
How severe is CVE-2018-17153?
CVE-2018-17153 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-17153?
Check the references section above for vendor advisories and patch information. Affected products include: Western Digital My Cloud Wdbctl0020Hwt Firmware, Western Digital My Cloud Wdbctl0020Hwt, Western Digital My Cloud Pr4100, Western Digital My Cloud Pr2100 Firmware, Western Digital My Cloud Pr2100.