Security researchers have released details on general vulnerabilities in cloud storage drives that have not released security patches for more than a year.
Remco Vermeulen I found a bug in privilege escalation of Western Digital's My Cloud device. He states that an attacker can "completely control" data from the device, bypassing the administrator's password. user.
The operation works because the player's web dashboard does not correctly check the user's credentials before the attacker gains access to tools that require a higher level of access.
Vermeulen said that it is "easy" to exploit this bug by e-mail, and if My Cloud device can remotely access thousands of devices via the Internet, it is remotely exploited. He is Ed Concept demonstration video On Twitter.
Details of the bug were also found independently By another security teamWho publishes his exploit code?
Vermeulen reported this bug more than a year ago in April 2017 but said the company stopped responding. Normally, security researchers respond to companies within 90 days according to responsible disclosure guidelines accepted by the industry.
After knowing that WD updated My Cloud firmware without fixing the vulnerability discovered by WD, he decided to announce his discovery.
One year later, WD has not yet released any patches.
The company confirmed that we are aware of this vulnerability, but I did not say why it took more than a year to release the patch. "We are in the stage of completing the scheduled firmware update to solve the reported problem," the spokesperson said, "We will arrive" in a few weeks ".
WD said that many of My Cloud products have vulnerabilities including EX2, EX4, Mirror, but My Cloud Home is not vulnerable.
Meanwhile, Vermeulen had no immediate fix and said the user had to "disconnect" if you wanted to protect the data.
I hope you like the news:
Western Digital My Cloud Drive Password Bypass Failure Damages Data -
#Stay Tuned For More Updates :)