It’s time to learn how to renew its OS because researcher James Bercegay has found a dozen models possess a hard-coded backdoor.
The backdoor, lets anyone log in as user mydlinkBRionyg with the password abc12345cba.
WD mostly sells the My Cloud range as accommodated for file sharing and backup in domestic environments. But several of the designs with the backdoor is four-disk machines fit for use as a shared warehouse in small business and also competent of being configured as iSCSI targets for use maintaining virtual servers. Throw in the fact that some of the messed-up machines can reach 40TB volume and there’s the very real possibility that sizeable databases are dangling online.
Observant readers will have found that the username includes the string “dlink”. D-Link, the group, also makes network associated storage (NAS) devices and Bercegay wrote that he found “references to file handles and directory structure that was fairly unique, and from the D-link device. But, they also absolutely matched my WDMyCloud device”.
It became “pretty clear to me as the D-Link DNS-320L had the same exact hardcoded backdoor and same specific file upload vulnerability that was being within the WDMyCloud. So, it seems that the WDMyCloud software receives a large amount of the D-Link DNS-320L code, backdoor and all.”
D-Link, he said, reinforced the DNS-320L in July 2014 (firmware version 1.0.6). Western Digital users can eliminate the backdoor by installing version 2.30.174 of their firmware.
This sort of thing isn’t uncommon in the small NAS world: Cisco’s efforts were made by QNAP, while other OEMs aim to secure re-badging deals.
MyCloud reports that need patching includes MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100. Products on firmware version 4.x aren’t affected.
The file upload bug Bercegay states are in the multi_uploadify.php function.
An error in the handling of the gethostbyaddr() function lets an attacker “send a post request that contains a file to upload using the parameter ‘Filedata’, a location for the file to be upload to which is defined within the ‘folder’ parameter, and of course a bogus ‘Host’ header.”