April 27, 2018
Seid Yassin (557 articles)


Western Digital’s My Cloud EX2 storage devices leak files to anyone on a local network by default, no matter the permissions set by users. If configured for remote access via the public internet, the My Cloud EX2 also leaks files via an HTTP request on port 9000, according to researchers at Trustwave who first identified the leaky port.

On Wednesday, Trustwave released its findings, warning, “unfortunately the default configuration of a new My Cloud EX2 drive allows any unauthenticated local network user to grab any files from the device using HTTP requests.”

Researchers said the leak is due to the device’s UPnP media server that is automatically started when the device is powered on. “By default, unauthenticated users can grab any files from the device completely bypassing any permissions or restrictions set by the owner or administrator,” wrote Martin Rakhmanov, security research manager at Trustwave in a technical analysis of the My Cloud EX2.

Researchers said that when they disclosed to Western Digital their research the company said the insecure default settings did not warrant a fix. Instead, WD only recommends users turn off DLNA “if they do not wish to utilize the product feature.”

“You don’t have to be authenticated. You don’t have to get the credentials ahead of time. If My Cloud is on a closed network or happens to be on the open internet (and the vulnerable port 9000 is open) then an attacker anywhere can access every single file on the appliance,” Karl Sigler, threat intelligence manager at Trustwave SpiderLabs, told Threatpost in an interview.

Western Digital told Threatpost that the DLNA feature is used in conjunction with users’ media players on smartphones and TVs.

“My Cloud systems come with Twonky Server. Twonky Server allows access to My Cloud users within the local network without password protection, which is common with DLNA server software. Western Digital recommends that users save their content they want protected with a password in shares for which DLNA capabilities are disabled; or disable Twonky server for the entire system, which would disable only DLNA media server capabilities,” a spokesperson said.

The spokesperson said that DLNA is enabled by default on all My Cloud and My Cloud Mirror products. And that DLNA is disabled on other My Cloud Pro Series and Expert Series products by default.

WD said that only files that reside in a “share” for which DLNA is enabled are accessible without password protection and only to users on the local network.

The spokesperson did not address Trustwave’s larger concerns regarding outsider unauthenticated access to files with user and access restrictions.

“If you’re going to provide a NAS that actually provides authentication and access controls for users it just doesn’t make sense from a security perspective to implement this type of wonky DLNA component,” Sigler said.

Source | threatpost