SB2017010305 - Remote OS command injection in Western Digital MyCloud NAS

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) OS command injection (CVE-ID: CVE-2016-10107)

The vulnerability allows a remote attacker to execute arbitrary OS commands on vulnerable device.

The vulnerability exists due to insufficient sanitization of user-supplied "Cookie" header in /index.php script. A remote attacker can send specially crafted HTTP request containing malicious "Cookie" header and execute arbitrary OS commands with root privileges.

Successful exploitation of the vulnerability will result in full compromise of vulnerable device.

2) OS command injection (CVE-ID: CVE-2016-10108)

The vulnerability allows a remote attacker to execute arbitrary OS commands on vulnerable device.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via "arg" HTTP POST parameter to "/web/google_analytics.php" script. A remote attacker can send specially crafted HTTP POST request to vulnerable device and execute arbitrary OS commands with root privileges.

Successful exploitation of the vulnerability will result in full compromise of vulnerable device.

Remediation

Install update from vendor's website.

References

• http://support.wdc.com/download/notes/WD_My_Cloud_Firmware_Release_Notes_2.21.126.pdf?v=445
• https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/