CVE-2018-17153
published 2018-09-18CVE-2018-17153: It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker…
PriorityP183critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
86.59%
99.7th percentile
It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| western_digital | my_cloud_dl2100 | < 2.30.196 | 2.30.196 |
| western_digital | my_cloud_dl4100_firmware | < 2.30.196 | 2.30.196 |
| western_digital | my_cloud_ex2100_firmware | < 2.30.196 | 2.30.196 |
| western_digital | my_cloud_ex2_firmware | < 2.30.196 | 2.30.196 |
| western_digital | my_cloud_ex2_ultra_firmware | < 2.30.196 | 2.30.196 |
| western_digital | my_cloud_ex4100 | < 2.30.196 | 2.30.196 |
| western_digital | my_cloud_ex4_firmware | < 2.30.196 | 2.30.196 |
| western_digital | my_cloud_mirror_firmware | < 2.30.196 | 2.30.196 |
| western_digital | my_cloud_mirror_gen_2_firmware | < 2.30.196 | 2.30.196 |
| western_digital | my_cloud_pr2100_firmware | < 2.30.196 | 2.30.196 |
| western_digital | my_cloud_pr4100 | < 2.30.196 | 2.30.196 |
| western_digital | my_cloud_wdbctl0020hwt_firmware | < 2.30.196 | 2.30.196 |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
regex("uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+)", body)- →Step 1 – Session creation bypass: Send a GET request to /cgi-bin/network_mgr.cgi with the command 'cgi_get_ipv6' and parameter flag=1. A successful response indicates an admin session has been created server-side, tied to the attacker's IP address. ↗
- →Step 2 – Privilege escalation via cookie: After the bypass session is established, subsequent requests carrying the cookie 'username=admin' will be treated as authenticated admin requests by any CGI module. ↗
- →Step 3 – Command injection: A POST to /web/google_analytics.php with body 'cmd=set&opt=cloud-device-num&arg=0|<payload>' and cookies 'isAdmin=1; username=admin' achieves unauthenticated RCE as root. Detect by monitoring for pipe characters in the 'arg' parameter of this endpoint. ↗
- →Confirm exploitation by checking HTTP response body for uid/gid output matching the pattern: uid=([0-9(a-z)]+) gid=([0-9(a-z)]+) groups=([0-9(a-z)]+) ↗
- →Identify exposed WD MyCloud devices on the internet using Shodan favicon hash -1074357885 or FOFA icon_hash=-1074357885 to scope detection/hunting. ↗
- ·The authentication bypass (CVE-2018-17153) is required to exploit the command injection (CVE-2016-10108) only on firmware versions 2.21.126 and later. On versions before 2.21.126, the command injection endpoint may be directly reachable without the bypass step. ↗
- ·The patch for CVE-2016-10108 did not fully remove the command injection vector in /web/google_analytics.php — it only added an authentication gate. The bypass (CVE-2018-17153) circumvents that gate, restoring exploitability on patched-but-still-vulnerable firmware up to 2.30.196. ↗
- ·The admin session created by the bypass is bound to the attacker's source IP address. Detection rules should correlate the initial GET to /cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1 with subsequent authenticated POST requests from the same IP. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Western Digital MyCloud NAS - Authentication Bypass
nuclei·CVSS 9.8
CVE-2018-17153 [CRITICAL] Western Digital MyCloud NAS - Authentication Bypass
Western Digital MyCloud NAS - Authentication Bypass
It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without
Metasploit
Western Digital MyCloud unauthenticated command injection
metasploit·CVSS 9.8
CVE-2018-17153 [CRITICAL] Western Digital MyCloud unauthenticated command injection
Western Digital MyCloud unauthenticated command injection
This module exploits authentication bypass (CVE-2018-17153) and command injection (CVE-2016-10108) vulnerabilities in Western Digital MyCloud before 2.30.196 in order to achieve unauthenticated remote code execution as the root user. The module first performs a check to see if the target is WD MyCloud. If so, it attempts to trigger an authentication bypass (CVE-2018-17153) via a crafted GET request to /cgi-bin/network_mgr.cgi. If the server responds as expected, the module assesses the vulnerability status by attempting to exploit a commend injection vulnerability (CVE-2016-10108) in order to print a random string via the echo command. This is done via a crafted POST request to /web/google_analytics.php. If the server is vulnerable
http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.htmlhttp://www.securityfocus.com/bid/105359https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.htmlhttps://support.wdc.com/knowledgebase/answer.aspx?ID=25952http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.htmlhttp://www.securityfocus.com/bid/105359https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.htmlhttps://support.wdc.com/knowledgebase/answer.aspx?ID=25952
2018-09-18
Published