Cloudy storage kit needs firmware patch, will anybody notice?
Western Digital has issued a fix for its My Cloud Mirror backup disks, after ESET “detection engineer” Kacper Szurek found an authentication bypass with remote code execution in the system.
My Cloud Mirror is a backup hard drive product sold with personal cloud storage, which means the hardware might be left Internet-visible.
Szurek writes that the login form wasn’t protected against command injection.
The “exec() function is used without using escapeshellarg() or escapeshellcmd().
“So we can create string which looks like this: wto -n “a” || other_command || “” -g which means that wto and other_command will be executed.”
There’s a bunch of other bugs in the My Cloud Mirror 2.11.153 firmware, Szurek writes, mostly relating to parameters that aren’t escaped.
The affected files in the firmware include index.php, chk_vv_sharename.php, modUserName.php, upload.php, and a gem in login_checker.php.
“Inside lib/login_checker.php there is login_check() function which is used to check if user is logged, but it’s possible to bypass this function because it simply checks if $_COOKIE[‘username’] and $_COOKIE[‘isAdmin’] exist.”
Western Digital fixed the issues in release 2.11.157 in late December, but The Register suspects there’s a lot of unpatched boxes out there. ®
Sponsored: Customer Identity and Access Management