Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2018-17153

Disclosure Date: September 18, 2018 •

CVE-2018-17153 CVSS v3 Base Score: 9.8

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Metasploit Module

exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection

Description

It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user’s IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user’s IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called “cgi_get_ipv6” that starts an admin session — tied to the IP address of the user making the request — if the additional parameter “flag” with the value “1” is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

9.8 Critical

Impact Score:

5.9

Exploitability Score:

3.9

Vector:

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

western digital

Products

my cloud dl2100,
my cloud dl4100 firmware,
my cloud ex2 firmware,
my cloud ex2 ultra firmware,
my cloud ex2100 firmware,
my cloud ex4 firmware,
my cloud ex4100,
my cloud mirror firmware,
my cloud mirror gen 2 firmware,
my cloud pr2100 firmware,
my cloud pr4100,
my cloud wdbctl0020hwt firmware

Metasploit Modules

exploit/linux/http/wd_mycloud_unauthenticated_cmd_injection (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/wd_mycloud_unauthenticated_cmd_injection.rb)

References

Canonical

CVE-2018-17153 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17153)

BID-105359 (http://www.securityfocus.com/bid/105359)

Miscellaneous

https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html

https://support.wdc.com/knowledgebase/answer.aspx?ID=25952

http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html

Rapid7

Unknown

CVE-2018-17153

Unknown

Unknown

None

None

Network

CVE-2018-17153

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2018-17153

Unknown

Unknown

None

None

Network

CVE-2018-17153

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

Metasploit Modules

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification