Trustwave Holdings Inc.'s SpiderLabs found that Western Digital's My Cloud EX2 backup devices can expose data to...
unauthorized HTTP requests. How do these HTTP requests bypass Western Digital's security measures and how can the issue be mitigated?
Western Digital markets the My Cloud EX2 network attached storage (NAS) device as a safe place to store all types of data, including backups. However, that safe haven turned out to be dangerous, as a researcher discovered default configured My Cloud EX2 devices that enabled an unauthenticated local network user to bypass file system permissions and restrictions using HTTP requests.
The My Cloud EX2 device ships with a configuration that initiates a Universal Plug and Play (UPnP) server that accepts HTTP requests on port 9000, enabling an unauthorized local network user to browse individual files stored on the NAS device.
Even though the Public Access option is turned off by default on the device's dashboard, users on the local network can still send HTTP requests to access files in folders that are shared on the network.
Martin Rakhmanov, security research manager at Trustwave, a cybersecurity company based in Chicago, discovered and wrote about the vulnerability -- including a proof-of-concept (POC) exploit -- in a blog post earlier this year. Rakhmanov posted the POC written in Python demonstrating how an attacker can access files on the device by issuing HTTP requests to the TMSContentDirectory/Control resource on port 9000.
The My Cloud EX2 device responds to the HTTP request with a list of files on the device in XML format. URLs, file names, file extension types and storage dates -- both new and modified -- can be exposed, and an attacker can use the URLs in the list to view and modify the files on the My Cloud EX2.
The UPnP server that enables the vulnerability is incorporated into the Twonky Digital Living Network Alliance (DLNA) server built into the storage device. Twonky is a DLNA server published by Lynx Technology.
The Twonky DLNA server allows the My Cloud EX2 device to automatically stream content to any DLNA-compliant device or player, such as a media player or smart TV. These devices can be connected to the NAS on the local network or directly via USB ports on the My Cloud EX2 storage device. Authentication is not supported by the Twonky DLNA implementation.
The POC showed how port 9000 can be used to access files stored on a non-DLNA and a DLNA device; however, the default configurations of My Cloud EX2 failed to validate communications on port 9000. The IP address may change after rebooting the My Cloud EX2, but the attacker can stay on to gain file access.
Rather than patching or replacing the Twonky DLNA server, Western Digital's solution to the issue was to recommend users disable the Twonky DLNA server.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Network device security: Appliances, firewalls and switches
Related Q&A from Judith Myerson
The Constrained Application Protocol underpins IoT networks. But the protocol could allow a threat actor to launch an attack. Continue Reading
Dutch researchers discovered flaws in ATA security and TCG Opal affecting self-encrypting drives. What steps can you take to guard data stored on ... Continue Reading
The Signal Desktop application was found to be making decryption keys available in plaintext. Learn how the SQLite database and plaintext passwords ... Continue Reading