CVE-2018-17153

It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.

It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.

Se ha descubierto que el dispositivo Western Digital My Cloud hasta las versiones 2.30.x se ve afectado por una vulnerabilidad de omisión de autenticación. Un atacante no autenticado puede explotar esta vulnerabilidad para autenticarse como usuario administrador sin necesitar proporcionar una contraseña, obteniendo así el control total del dispositivo. (Cuando un administrador inicia sesión en My Cloud, se crea una sesión del lado del servidor que está conectado a la dirección IP del usuario. Tras crear la sesión, es posible llamar a módulos CGI autenticados mediante el envío de la cookie username=admin en la petición HTTP. El CGI invocado comprobará si hay una sesión válida presente y la conectará con la IP del usuario). Se ha descubierto que es posible para un atacante no autenticado crear una sesión válida sin iniciar sesión. El módulo CGI network_mgr.cgi contiene un comando llamado "cgi_get_ipv6" que inicia una sesión de administrador (enlazada con la dirección IP del usuario que realiza la petición) si se proporciona el parámetro adicional "flag" con el valor "1". La invocación subsecuente de comandos que normalmente requerirían privilegios de administrador tendría éxito ahora si el atacante establece la cookie username=admin.