------------------------------------------------------------------------
Western Digital My Cloud vulnerable to Cross-Site Request Forgery
vulnerability
------------------------------------------------------------------------
Remco Vermeulen, January 2017

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that the Western Digital My Cloud is affected by
Cross-Site Request Forgery. This issue can be combined with a command
injection vulnerability (see advisory SFY201703) to gain complete
control (root access) of the affected device.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
- 
https://securify.nl/advisory/SFY20170102/authentication_bypass_vulnerability_in_western_digital_my_cloud.html
- 
https://securify.nl/advisory/SFY20170103/western_digital_my_cloud_vulnerable_to_multiple_command_injection_vulnerabilities.html

------------------------------------------------------------------------
Tested versions
------------------------------------------------------------------------
This issue was successfully verified on a Western Digital My Cloud model
WDBCTL0020HWT running firmware version 2.21.126. The issue isn't limited
to the used model since most of the products in the My Cloud series
share the same (vulnerable) code.

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
There is currently no fix available.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20170104/western_digital_my_cloud_vulnerable_to_cross_site_request_forgery_vulnerability.html

Western Digital My Cloud is a low-cost entry-level network-attached storage device. It was discovered that the Western Digital My Cloud is affected by Cross-Site Request Forgery. When combined with command injection (see advisory SFY201703) this issue allows an attacker to gain complete control (root access) of the affected device.

This issue exists due to the fact that the My Cloud device lacks protection against Cross-Site Request Forgery attacks. In order to exploit this vulnerability, an attacker has to lure an authenticated My Cloud device user (some command injections require an admin user whereas others also allow users with fewer privileges) into executing a malicious link crafted to exploit a command injection in a vulnerable My Cloud device.