According to the blog post, the vulnerabilities, which include a hardcoded backdoor, can be used to access files even on a password-protected My Cloud NAS drive and also perform remote code execution. The researcher spotted an unalterable admin account having the username “mydlinkBRionyg” and password ” abc12345cba” that can be used to access an affected NAS drive anytime.
The presence of “mydlink” in the username was enough to spark concerns, and after some investigation, the researcher realized that in the past it shared code with D-Link Share Center.
“It is interesting to think about how before D-Link updated their software two of the most popular NAS device families in the world, sold by two of the most popular tech companies in the world were both vulnerable at the same time, to the same backdoor for a while.”
According to the researcher, D-Link has already closed the backdoor years ago in 2014. WD issued firmware updates in November (firmware 2.30.172) last year after being notified about the backdoor six months earlier. The researcher had to wait till January as a part of the non-disclosure.
The list of affected devices include:
- My Cloud Gen 2
- My Cloud PR2100
- My Cloud PR4100
- My Cloud EX2 Ultra
- My Cloud EX2
- My Cloud EX4
- My Cloud EX2100
- My Cloud EX4100
- My Cloud DL2100
- My Cloud DL4100
Bercegay calls the exploitation of the vulnerabilities trivial which make them dangerous and even wormable. “An attacker could literally take over your WDMyCloud by just having you visit a website where an embedded iframe or img tag makes a request to the vulnerable device using one of the many predictable default hostnames for the WDMyCloud such as “wdmycloud” and “wdmycloudmirror” etc.”
You can read more on the researcher’s blog post.