Support Product Security

My Cloud Firmware Version 2.12.127

WDC Tracking Number: WDC-19002
Published: January 8, 2019

Last Updated: January 8, 2020

Description

My Cloud Firmware 2.12.127 includes multiple updates to help improve the security of your My Cloud device.

Product Impact
Last Updated
My Cloud Mirror
January 8, 2020
My Cloud EX2
January 8, 2020
My Cloud EX4
January 8, 2020

Advisory Summary

Resolved the following command injection vulnerabilities:

The REST API provided by the web interface of My Cloud storage devices was vulnerable to a shell command injection. This vulnerability was addressed in the Web Admin Dashboard by sanitizing shell inputs.

Reported by: Daniel Forse

Resolved two command injection vulnerabilities from an unauthenticated attacker on LAN. This vulnerability allowed any shell command to be injected to the device without authentication from the LAN side. It was fixed by improving parameter validation.

Reported by: Steve Campbell

Resolved a post-auth command injection vulnerability that affected the WD My Cloud Versions prior to 2.30.165. It was fixed by improving parameter validation.

Reported by: James Bercegay

Resolved multiple command injection vulnerabilities throughout the web UI, and the Web Admin Dashboard.

Resolved the following cross site request forgery (CSRF) vulnerabilities:

A cross-site request forgery vulnerability was reported where an authenticated admin user could be enticed to visit a crafted website that would perform requests on their demand. Added Cross-Site Request Forgery protection.

Reported by: Remco Vermeulen

A CSRF vulnerability was reported in WD My Cloud where an attacker could use the user’s browser as a proxy to launch a CSRF attack. Implemented REST end point checks to block CSRF attacks.

Reported by: Edith Kain

Resolved multiple CSRF vulnerabilities on the WD My Cloud devices that could further lead to unauthenticated command injections as well as arbitrary file uploads.

Reported by: Fikri Fadzil from SEC Consult Vulnerability Lab

Resolved multiple cross site request forgery vulnerabilities in the WD My Cloud web interface that could allow remote code execution and escalation of privileges.

Reported by: James Bercegay

Resolved multiple cross site request forgeries in storage and settings pages, backup pages and cloud access for My Cloud web interface. Also resolved multiple CSRF issues in the My Cloud app.

Resolved a Linux kernel vulnerability [Dirty Cow]. This allowed a local user to obtain root privileges on a target system.

CVV Number: CVE-2016-5195

Resolved Denial-of-Service vulnerability in the user language preferences settings of the web interface.

Reported by: James Bercegay

An authentication bypass was reported in the WD My Cloud device that provided a user with admin privileges without authenticating. This issue was resolved by blocking SSH shadow information from the web browser view.

Reported by: Remco Vermeulen

The OpenSSH component has been updated to version 7.5p1 to address multiple vulnerabilities.

Reported by: Jacob Ent

Resolved a buffer overflow issue that could lead to unauthenticated access through the use of return-oriented programming (ROP). Added stack canary buffer overflow protection and ensured address space layout randomization (ASLR) was implemented correctly.

Reported by: Remco Vermeulen

The My Cloud operating system was vulnerable to potential brute-force attacks on the Dashboard authentication and SSH service. This made users with weak passwords more susceptible to having their files compromised. Resolved the vulnerability by enhancing security on authentication.

The version of portable SDK for UPnP (Universal Plug and Play) was vulnerable to a number of remote code execution vulnerabilities. Resolved the issue by updating the libupnp component to version 1.6.25.

CVE Number: CVE-2012-5958

Addressed a clickjacking vulnerability in all dashboards by adding X-Frame-Options in webserver and validating SAMEORIGIN is returned.

Resolved the following security issues in the Webfile viewer on-device app:

  • A path traversal to restricted directories vulnerability has been addressed in the Webfile viewer (CWE-22)
  • Resolved an unrestricted file upload command execution vulnerability in the Webfile viewer. This fix prevents arbitrary command execution and potential compromise of user data (CWE-829)

Improved the security of volume mount options. Added secure mount option for user shares. This limits what can be done from the user shares and enhances the security of the device in terms of scripted attacks or naive attacks such as remote exploitation methods or privilege escalation (CWE-275)

Resolved EULA Bypass vulnerability in EX2, EX4, and Mirror Gen1. It was possible for the user to bypass EULA to configure the NAS device without accepting the agreement leading to an improper access control vulnerability (CWE-284)

Improved credential handling for the remote MyCloud-to-MyCloud backup feature. Removed unencrypted credentials in remote backup process preventing credential exposure. Addressed cleartext transmission of sensitive information (CWE-319)

The admin interface of the firmware was running an outdated version of jQuery. jQuery has been updated to version 3.3.1 to address a Cross-Site Scripting (XSS) vulnerability.

CVE Number: CVE-2010-5312

Reported by: Tobias Jakobs

Resolved File-list validation vulnerability in the rsync component which is an open-source utility that provides fast incremental file transfer. It has been updated to version 3.1.3 to address the issue.

CVE Number: CVE-2018-5764

Reported by:  Jacob Ent

WD My Cloud devices provided IPv6 users with admin privileges without authenticating. This IPv6 authentication bypass vulnerability has been fixed to prevent authentication bypass using IPv6 redirects.

CVE Number: CVE-2018-17153

Reported by: Remco Vermeulen

Apache has been updated to version 2.4.34 to address multiple vulnerabilities.

CVE Number: CVE-2018-1301

CVE Number: CVE-2018-1302

CVE Number: CVE-2018-1303

CVE Number: CVE-2018-1312

CVE Number: CVE-2017-15715

The PHP component has been updated to version 5.4.45 to address a number of potential vulnerabilities including buffer over-read, wrong hashes, use-after-free, remote command execution, null pointer dereference and directory traversal.

CVE Number: CVE-2015-6834

CVE Number: CVE-2015-6835

CVE Number: CVE-2015-6836

CVE Number: CVE-2015-6837

CVE Number: CVE-2015-6838

CVE Number: CVE-2014-9767

Resolved an authenticated remote command execution vulnerability in the My Cloud devices.

Reported by: Maor Shwartz

Added path variables checks to confirm data validity to prevent a potential attacker from calling a path they are not authorized to see. This prevents an attacker from gaining knowledge of the directory architecture.

Secured the Web Admin Dashboard by using enhanced session management cookies preventing potential attackers from cloning and compromising a user session (CWE-287)

The web file viewer had an issue with insufficient entropy that could allow an attacker to generate their own tokens to download files within a user’s own share if they had a token for the download link. The issue was resolved by enhancing token entropy to make it difficult for an attacker to “crack” the token in order to reveal the seed and formulate the hash.

Improved credential handling for upload-logs-to-support option. Removed hardcoded FTP credentials that were used when uploading logs. This prevents an attacker from uploading potentially malicious files to our FTP server.

Resolved leakage of debug messages in the web interface.

A warning has been added to the firmware when enabling the remote administrative dashboard feature. It is recommended to use the mycloud.com interface to interact with your My Cloud device remotely instead.