Backdoor and Other Flaws Discovered in WD MyCloud NAS Devices

A researcher from GulfTech Research and Development recently published a report detailing three security flaws present in Western Digital’s (WD) MyCloud network-attached storage (NAS) devices that he reported to the company in June 2017. These flaws include the following: a PHP file located on the WD MyCloud’s embedded web server that allows for unrestricted file uploads, a cross-site request forgery (CSRF) bug that can be exploited to execute arbitrary commands on the device, and an account with hardcoded credentials that could allow a remote actor to gain unauthorized access and root permissions for the account. As a result of the report, Western Digital released a firmware update for the affected NAS devices that removes the backdoor and patches the other flaws. The NJCCIC encourages all WD MyCloud NAS users and administrators update their firmware to version 2.30.174 as soon as possible.

AdvisoryNJCCICWD MyCloud