cbcvebase.
CVE-2018-17153
published 2018-09-18

CVE-2018-17153: It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker…

PriorityP183critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
86.59%
99.7th percentile
It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.

Affected

12 ranges
VendorProductVersion rangeFixed in
western_digitalmy_cloud_dl2100< 2.30.1962.30.196
western_digitalmy_cloud_dl4100_firmware< 2.30.1962.30.196
western_digitalmy_cloud_ex2100_firmware< 2.30.1962.30.196
western_digitalmy_cloud_ex2_firmware< 2.30.1962.30.196
western_digitalmy_cloud_ex2_ultra_firmware< 2.30.1962.30.196
western_digitalmy_cloud_ex4100< 2.30.1962.30.196
western_digitalmy_cloud_ex4_firmware< 2.30.1962.30.196
western_digitalmy_cloud_mirror_firmware< 2.30.1962.30.196
western_digitalmy_cloud_mirror_gen_2_firmware< 2.30.1962.30.196
western_digitalmy_cloud_pr2100_firmware< 2.30.1962.30.196
western_digitalmy_cloud_pr4100< 2.30.1962.30.196
western_digitalmy_cloud_wdbctl0020hwt_firmware< 2.30.1962.30.196

Detection & IOCsextracted from sources · hover to see the quote

cookieusername=admin
cookieisAdmin=1; username=admin;
path/cgi-bin/network_mgr.cgi
path/web/google_analytics.php
commandcmd=set&opt=cloud-device-num&arg=0|echo%20`id`%20%23
othercgi_get_ipv6 with flag=1
othershodan:http.favicon.hash:-1074357885
otherfofa:icon_hash=-1074357885
yara
regex("uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+)", body)
  • Step 1 – Session creation bypass: Send a GET request to /cgi-bin/network_mgr.cgi with the command 'cgi_get_ipv6' and parameter flag=1. A successful response indicates an admin session has been created server-side, tied to the attacker's IP address.
  • Step 2 – Privilege escalation via cookie: After the bypass session is established, subsequent requests carrying the cookie 'username=admin' will be treated as authenticated admin requests by any CGI module.
  • Step 3 – Command injection: A POST to /web/google_analytics.php with body 'cmd=set&opt=cloud-device-num&arg=0|<payload>' and cookies 'isAdmin=1; username=admin' achieves unauthenticated RCE as root. Detect by monitoring for pipe characters in the 'arg' parameter of this endpoint.
  • Confirm exploitation by checking HTTP response body for uid/gid output matching the pattern: uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+)
  • Identify exposed WD MyCloud devices on the internet using Shodan favicon hash -1074357885 or FOFA icon_hash=-1074357885 to scope detection/hunting.
  • ·The authentication bypass (CVE-2018-17153) is required to exploit the command injection (CVE-2016-10108) only on firmware versions 2.21.126 and later. On versions before 2.21.126, the command injection endpoint may be directly reachable without the bypass step.
  • ·The patch for CVE-2016-10108 did not fully remove the command injection vector in /web/google_analytics.php — it only added an authentication gate. The bypass (CVE-2018-17153) circumvents that gate, restoring exploitability on patched-but-still-vulnerable firmware up to 2.30.196.
  • ·The admin session created by the bypass is bound to the attacker's source IP address. Detection rules should correlate the initial GET to /cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1 with subsequent authenticated POST requests from the same IP.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.