Multiple vulnerabilities in NAS devices
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2018-18471 CVE-2018-18472 |
| CWE-ID | CWE-77 CWE-611 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #2 is being exploited in the wild. |
| Vulnerable software Subscribe |
Seagate GoFlex Home Hardware solutions / Firmware Medion LifeCloud NAS Hardware solutions / Office equipment, IP-phones, print servers Netgear Stora Hardware solutions / Office equipment, IP-phones, print servers WD My Book Live Hardware solutions / Office equipment, IP-phones, print servers |
| Vendor |
Seagate Medion NETGEAR Western Digital |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Privilege escalation
EUVDB-ID: #VU15459
Risk: High
CVSSv3.1: 9.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2018-18471
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The weakness exists due to most of the API endpoints and the web interface were accessible without authentication while one of the endpoints in the REST API interface is located at /api/2.0/rest/aggregator/xml which loads xml data from POST data. A remote attacker cause the xml parser to make a request to the server at 192.168.56.1 for the file XXE_CHECK, get usernames and passwords,
cause the daemon to skip over junk data until it finds the string as shown in the IDA snippet below and inject arbitrary commands and execute arbitrary code with root privileges.
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.
Vulnerable software versionsSeagate GoFlex Home: All versions
Medion LifeCloud NAS: All versions
Netgear Stora: All versions
External linkshttp://www.wizcase.com/blog/hack-2018/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Command injection
EUVDB-ID: #VU15460
Risk: High
CVSSv3.1: 9.8 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:U/RC:C]
CVE-ID: CVE-2018-18472
CWE-ID:
CWE-77 - Command injection
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary commands on the target system.
The weakness exists in the language change and modify functionality in the REST API. A remote attacker can send a specially crafted request to inject and execute arbitrary commands with root privileges.
Note, the vulnerability is being actively exploited in the wild.
Cybersecurity Help is currently unaware of any solutions addressing the vulnerability.
Vulnerable software versionsWD My Book Live: All versions
External linkshttp://www.wizcase.com/blog/hack-2018/
http://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduo
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
