Your Web News in One Place

Help Webnuz

Referal links:

Sign up for GreenGeeks web hosting
September 19, 2018 10:00 pm

'I'm Admin. You're Admin. Everyone is Admin.' Remote Access Bug Turns Western Digital My Cloud Into Everyone's Cloud

Researchers at infosec shop Securify revealed this week a vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass password checks and login with admin privileges. From a report:This would, in turn, give the attacker full control over the NAS device, including the ability to view and copy all stored data as well as overwrite and erase contents. If the box is accessible from the public internet, it could be remotely pwned, it appears. Alternatively, malware on a PC on the local network could search for and find a vulnerable My Cloud machine, and compromise it. According to Securify, the flaw itself lies in the way My Cloud creates admin sessions that are attached to an IP address. When an attacker sends a command to the device's web interface, as an HTTP CGI request, they can also include the cookie username=admin -- which unlocks admin access. Thus if properly constructed, the request would establish an admin login session to the device without ever asking for a password. In other words, just tell it you're the admin user in the cookie, and you're in. The researcher told TechCrunch that he reported the vulnerability to Western Digital last year, but the company "stopped responding."

Read more of this story at Slashdot.


Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/BT0ml2rPIUw/im-admin-youre-admin-everyone-is-admin-remote-access-bug-turns-western-digital-my-cloud-in

Share this article:    Share on Facebook
View Full Article

Slashdot

Slashdot was originally created in September of 1997 by Rob "CmdrTaco" Malda. Today it is owned by Geeknet, Inc..

More About this Source Visit Slashdot