CVE-2018-17153

Western Digital MyCloud unauthenticated command injection

Severity Score

9.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.

Se ha descubierto que el dispositivo Western Digital My Cloud hasta las versiones 2.30.x se ve afectado por una vulnerabilidad de omisión de autenticación. Un atacante no autenticado puede explotar esta vulnerabilidad para autenticarse como usuario administrador sin necesitar proporcionar una contraseña, obteniendo así el control total del dispositivo. (Cuando un administrador inicia sesión en My Cloud, se crea una sesión del lado del servidor que está conectado a la dirección IP del usuario. Tras crear la sesión, es posible llamar a módulos CGI autenticados mediante el envío de la cookie username=admin en la petición HTTP. El CGI invocado comprobará si hay una sesión válida presente y la conectará con la IP del usuario). Se ha descubierto que es posible para un atacante no autenticado crear una sesión válida sin iniciar sesión. El módulo CGI network_mgr.cgi contiene un comando llamado "cgi_get_ipv6" que inicia una sesión de administrador (enlazada con la dirección IP del usuario que realiza la petición) si se proporciona el parámetro adicional "flag" con el valor "1". La invocación subsecuente de comandos que normalmente requerirían privilegios de administrador tendría éxito ahora si el atacante establece la cookie username=admin.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2016-12-14 First Exploit
2018-09-18 CVE Reserved
2018-09-18 CVE Published
2024-08-05 CVE Updated
2024-08-28 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-287: Improper Authentication

CAPEC

References (7)

URL	Tag	Source
http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html
http://www.securityfocus.com/bid/105359	Third Party Advisory
https://support.wdc.com/knowledgebase/answer.aspx?ID=25952	Third Party Advisory
https://www.securify.nl/advisory/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges
https://web.archive.org/web/20170315123948/https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas

URL	Date	SRC
https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html	2024-08-05
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/wd_mycloud_unauthenticated_cmd_injection.rb	2016-12-14

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Western Digital Search vendor "Western Digital"	My Cloud Wdbctl0020hwt Firmware Search vendor "Western Digital" for product "My Cloud Wdbctl0020hwt Firmware"	< 2.30.196 Search vendor "Western Digital" for product "My Cloud Wdbctl0020hwt Firmware" and version " < 2.30.196"	-	Affected	in	Western Digital Search vendor "Western Digital"	My Cloud Wdbctl0020hwt Search vendor "Western Digital" for product "My Cloud Wdbctl0020hwt"	*	-	Safe
Western Digital Search vendor "Western Digital"	My Cloud Pr4100 Search vendor "Western Digital" for product "My Cloud Pr4100"	< 2.30.196 Search vendor "Western Digital" for product "My Cloud Pr4100" and version " < 2.30.196"	-	Affected	in	Western Digital Search vendor "Western Digital"	My Cloud Pr4100 Search vendor "Western Digital" for product "My Cloud Pr4100"	-	-	Safe
Western Digital Search vendor "Western Digital"	My Cloud Pr2100 Firmware Search vendor "Western Digital" for product "My Cloud Pr2100 Firmware"	< 2.30.196 Search vendor "Western Digital" for product "My Cloud Pr2100 Firmware" and version " < 2.30.196"	-	Affected	in	Western Digital Search vendor "Western Digital"	My Cloud Pr2100 Search vendor "Western Digital" for product "My Cloud Pr2100"	-	-	Safe
Western Digital Search vendor "Western Digital"	My Cloud Mirror Gen 2 Firmware Search vendor "Western Digital" for product "My Cloud Mirror Gen 2 Firmware"	< 2.30.196 Search vendor "Western Digital" for product "My Cloud Mirror Gen 2 Firmware" and version " < 2.30.196"	-	Affected	in	Western Digital Search vendor "Western Digital"	My Cloud Mirror Gen 2 Search vendor "Western Digital" for product "My Cloud Mirror Gen 2"	-	-	Safe
Western Digital Search vendor "Western Digital"	My Cloud Mirror Firmware Search vendor "Western Digital" for product "My Cloud Mirror Firmware"	< 2.30.196 Search vendor "Western Digital" for product "My Cloud Mirror Firmware" and version " < 2.30.196"	-	Affected	in	Western Digital Search vendor "Western Digital"	My Cloud Mirror Search vendor "Western Digital" for product "My Cloud Mirror"	-	-	Safe
Western Digital Search vendor "Western Digital"	My Cloud Ex4100 Search vendor "Western Digital" for product "My Cloud Ex4100"	< 2.30.196 Search vendor "Western Digital" for product "My Cloud Ex4100" and version " < 2.30.196"	-	Affected	in	Western Digital Search vendor "Western Digital"	My Cloud Ex4100 Search vendor "Western Digital" for product "My Cloud Ex4100"	-	-	Safe
Western Digital Search vendor "Western Digital"	My Cloud Ex4 Firmware Search vendor "Western Digital" for product "My Cloud Ex4 Firmware"	< 2.30.196 Search vendor "Western Digital" for product "My Cloud Ex4 Firmware" and version " < 2.30.196"	-	Affected	in	Western Digital Search vendor "Western Digital"	My Cloud Ex4 Search vendor "Western Digital" for product "My Cloud Ex4"	-	-	Safe
Western Digital Search vendor "Western Digital"	My Cloud Ex2100 Firmware Search vendor "Western Digital" for product "My Cloud Ex2100 Firmware"	< 2.30.196 Search vendor "Western Digital" for product "My Cloud Ex2100 Firmware" and version " < 2.30.196"	-	Affected	in	Western Digital Search vendor "Western Digital"	My Cloud Ex2100 Search vendor "Western Digital" for product "My Cloud Ex2100"	-	-	Safe
Western Digital Search vendor "Western Digital"	My Cloud Ex2 Ultra Firmware Search vendor "Western Digital" for product "My Cloud Ex2 Ultra Firmware"	< 2.30.196 Search vendor "Western Digital" for product "My Cloud Ex2 Ultra Firmware" and version " < 2.30.196"	-	Affected	in	Western Digital Search vendor "Western Digital"	My Cloud Ex2 Ultra Search vendor "Western Digital" for product "My Cloud Ex2 Ultra"	-	-	Safe
Western Digital Search vendor "Western Digital"	My Cloud Ex2 Firmware Search vendor "Western Digital" for product "My Cloud Ex2 Firmware"	< 2.30.196 Search vendor "Western Digital" for product "My Cloud Ex2 Firmware" and version " < 2.30.196"	-	Affected	in	Western Digital Search vendor "Western Digital"	My Cloud Ex2 Search vendor "Western Digital" for product "My Cloud Ex2"	-	-	Safe
Western Digital Search vendor "Western Digital"	My Cloud Dl4100 Firmware Search vendor "Western Digital" for product "My Cloud Dl4100 Firmware"	< 2.30.196 Search vendor "Western Digital" for product "My Cloud Dl4100 Firmware" and version " < 2.30.196"	-	Affected	in	Western Digital Search vendor "Western Digital"	My Cloud Dl4100 Search vendor "Western Digital" for product "My Cloud Dl4100"	-	-	Safe
Western Digital Search vendor "Western Digital"	My Cloud Dl2100 Search vendor "Western Digital" for product "My Cloud Dl2100"	< 2.30.196 Search vendor "Western Digital" for product "My Cloud Dl2100" and version " < 2.30.196"	-	Affected	in	Western Digital Search vendor "Western Digital"	My Cloud Dl2100 Search vendor "Western Digital" for product "My Cloud Dl2100"	-	-	Safe