9.8
CRITICAL
CVE-2018-17153
Western Digital My Cloud Unauthenticated Admin Session Bypass
Description

It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.

INFO

Published Date :

Sept. 18, 2018, 3:29 p.m.

Last Modified :

Nov. 21, 2024, 3:53 a.m.

Source :

[email protected]

Remotely Exploitable :

Yes !

Impact Score :

5.9

Exploitability Score :

3.9
Affected Products

The following products are affected by CVE-2018-17153 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Western_digital my_cloud_wdbctl0020hwt_firmware
2 Western_digital my_cloud_pr4100
3 Western_digital my_cloud_pr2100_firmware
4 Western_digital my_cloud_mirror_gen_2_firmware
5 Western_digital my_cloud_mirror_firmware
6 Western_digital my_cloud_ex4100
7 Western_digital my_cloud_ex4_firmware
8 Western_digital my_cloud_ex2100_firmware
9 Western_digital my_cloud_ex2_ultra_firmware
10 Western_digital my_cloud_ex2_firmware
11 Western_digital my_cloud_dl4100_firmware
12 Western_digital my_cloud_dl2100
13 Western_digital my_cloud_wdbctl0020hwt
14 Western_digital my_cloud_pr4100
15 Western_digital my_cloud_pr2100
16 Western_digital my_cloud_mirror_gen_2
17 Western_digital my_cloud_mirror
18 Western_digital my_cloud_ex4100
19 Western_digital my_cloud_ex4
20 Western_digital my_cloud_ex2100
21 Western_digital my_cloud_ex2_ultra
22 Western_digital my_cloud_ex2
23 Western_digital my_cloud_dl4100
24 Western_digital my_cloud_dl2100
: Total Affected Vendor : 1 | Products : 24
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2018-17153.

URL Resource
http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html
http://www.securityfocus.com/bid/105359 Third Party Advisory VDB Entry
https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html Exploit Third Party Advisory
https://support.wdc.com/knowledgebase/answer.aspx?ID=25952 Third Party Advisory
http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html
http://www.securityfocus.com/bid/105359 Third Party Advisory VDB Entry
https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html Exploit Third Party Advisory
https://support.wdc.com/knowledgebase/answer.aspx?ID=25952 Third Party Advisory

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2018-17153 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2018-17153 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by [email protected]

    May. 14, 2024

    Action Type Old Value New Value
  • CVE Modified by [email protected]

    Jul. 28, 2023

    Action Type Old Value New Value
    Added Reference http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html [No Types Assigned]
  • Initial Analysis by [email protected]

    Dec. 18, 2018

    Action Type Old Value New Value
    Added CVSS V2 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
    Added CVSS V3 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    Changed Reference Type https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html No Types Assigned https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html Exploit, Third Party Advisory
    Changed Reference Type https://support.wdc.com/knowledgebase/answer.aspx?ID=25952 No Types Assigned https://support.wdc.com/knowledgebase/answer.aspx?ID=25952 Third Party Advisory
    Changed Reference Type http://www.securityfocus.com/bid/105359 No Types Assigned http://www.securityfocus.com/bid/105359 Third Party Advisory, VDB Entry
    Added CWE CWE-287
    Added CPE Configuration AND OR *cpe:2.3:o:western_digital:my_cloud_wdbctl0020hwt_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2.30.196 OR cpe:2.3:h:western_digital:my_cloud_wdbctl0020hwt:*:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:western_digital:my_cloud_pr4100:*:*:*:*:*:*:*:* versions up to (excluding) 2.30.196 OR cpe:2.3:h:western_digital:my_cloud_pr4100:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:western_digital:my_cloud_pr2100_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2.30.196 OR cpe:2.3:h:western_digital:my_cloud_pr2100:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:western_digital:my_cloud_mirror_gen_2_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2.30.196 OR cpe:2.3:h:western_digital:my_cloud_mirror_gen_2:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:western_digital:my_cloud_mirror_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2.30.196 OR cpe:2.3:h:western_digital:my_cloud_mirror:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:western_digital:my_cloud_ex4100:*:*:*:*:*:*:*:* versions up to (excluding) 2.30.196 OR cpe:2.3:h:western_digital:my_cloud_ex4100:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:western_digital:my_cloud_ex4_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2.30.196 OR cpe:2.3:h:western_digital:my_cloud_ex4:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:western_digital:my_cloud_ex2100_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2.30.196 OR cpe:2.3:h:western_digital:my_cloud_ex2100:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:western_digital:my_cloud_ex2_ultra_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2.30.196 OR cpe:2.3:h:western_digital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:western_digital:my_cloud_ex2_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2.30.196 OR cpe:2.3:h:western_digital:my_cloud_ex2:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:western_digital:my_cloud_dl4100_firmware:*:*:*:*:*:*:*:* versions up to (excluding) 2.30.196 OR cpe:2.3:h:western_digital:my_cloud_dl4100:-:*:*:*:*:*:*:*
    Added CPE Configuration AND OR *cpe:2.3:o:western_digital:my_cloud_dl2100:*:*:*:*:*:*:*:* versions up to (excluding) 2.30.196 OR cpe:2.3:h:western_digital:my_cloud_dl2100:-:*:*:*:*:*:*:*
  • CVE Modified by [email protected]

    Sep. 22, 2018

    Action Type Old Value New Value
    Changed Description It was discovered that the Western Digital My Cloud device through 2.30.x is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie. It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called "cgi_get_ipv6" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter "flag" with the value "1" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.
    Added Reference https://support.wdc.com/knowledgebase/answer.aspx?ID=25952 [No Types Assigned]
  • CVE Modified by [email protected]

    Sep. 20, 2018

    Action Type Old Value New Value
    Added Reference http://www.securityfocus.com/bid/105359 [No Types Assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2018-17153 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2018-17153 weaknesses.

Exploit Prediction

EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days.

46.54 }} -7.70%

score

0.97510

percentile

CVSS30 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: