Security researchers have discovered an authentication bypass vulnerability in Western Digital’s My Cloud NAS devices that potentially allows an unauthenticated attacker to gain admin-level control to the affected devices.
Western Digital’s My Cloud (WD My Cloud) is one of the most popular network-attached storage (NAS) devices which is being used by businesses and individuals to host their files, as well as backup and sync them with various cloud and web-based services.
The WD My Cloud devices let users not only share files in a home network but its private cloud feature also allows them to access their data from anywhere around the world at any time.
However, security researchers at Securify have discovered an authentication bypass vulnerability on the WD My Cloud NAS boxes that could allow unauthenticated attackers with network access to the device to escalate their privileges to admin-level without needing to provide a password.
This would eventually allow attackers to run commands that would typically require administrative privileges and gain complete control of the affected NAS device, including their ability to view, copy, delete and overwrite any files that are stored on the device.
images from Hacker News