According to researchers at Trustwave, the Western Digital My Cloud EX2 storage devices are leaking files to anyone it shares a local network with by default, regardless of permissions set by users. My Cloud EX2 also leaks files as a result of an HTTP request on port 9000 if it is configured for remote access via the public Internet.
In its advisory, the security firm explains, “unfortunately the default configuration of a new My Cloud EX2 drive allows any unauthenticated local network user to grab any files from the device using HTTP requests.”
When the device is powered on, it automatically starts a Universal Plug and Play
(UPnP) media server, which exposes data to any network user, whether they are authenticated or not. “By default, unauthenticated users can grab any files from the device completely bypassing any permissions or restrictions set by the owner or administrator,” wrote Martin Rakhmanov, security research manager at Trustwave.
The researchers published a proof-of-concept (PoC), describing how an attacker can simply include XML with Browse action in the HTTP request to port 9000 asking for the TMSContentDirectory/Control resource, which will cause the UPnP server to respond with a list of files on the device. The attacker can then use HTTP requests to obtain the actual files from the device, meaning any permissions or restrictions set by the owner or administrator are redundant.
“You don’t have to be authenticated. You don’t have to get the credentials ahead of time. If My Cloud is on a closed network or happens to be on the open internet (and the vulnerable port 9000 is open) then an attacker anywhere can access every single file on the appliance,” Karl Sigler, threat intelligence manager at Trustwave SpiderLabs, told Threatpost in an interview.
There is no official fix. When Trustwave reported the vulnerability to Western Digital in January, the company apparently responded by saying that they wouldn’t be releasing a patch to the device’s insecure default settings. Instead, its users should turn off DLNA “if they do not wish to utilize the product feature”.
A spokesperson for Western Digital issued a similar message when speaking to Threatpost recently, saying, “Western Digital recommends that users save their content they want protected with a password in shares for which DLNA capabilities are disabled; or disable Twonky server for the entire system, which would disable only DLNA media server capabilities.”
Threatpost said the spokesperson did not address Trustwave’s larger set of alarms related to outsider unauthenticated access to files with user and access restrictions.