The default configuration on the new Western Digital My Cloud EX2 storage device allows any users on the network to retrieve files via HTTP requests, Trustwave has discovered.
WD’s My Cloud represents a highly popular storage/backup device option, allowing users to easily backup important data (including documents, photos, and media files) and store it on removable media.
The new drive, however, exposes data to any unauthenticated local network user, because of a Universal Plug and Play (UPnP) media server that the device automatically starts when powered on.
By default, it allows any users capable of sending HTTP requests to the drive to grab any files from the device. Thus, any permissions or restrictions set by the owner or administrator are completely bypassed, Trustwave’s security researchers warn.
“It is possible to access files on the storage even when Public shares are disabled. Specifically, anyone can issue HTTP requests to TMSContentDirectory/Control on port 9000 passing various actions. The Browse action returns XML with URLs to individual files on the device,” the security firm explains in an advisory.
The researchers also published a proof-of-concept, explaining that an attacker needs to include XML with Browse action in the HTTP request to port 9000 asking for the TMSContentDirectory/Control resource. This will result in the UPnP server responding with a list of files on the device.
Next, the attacker can use HTTP requests to fetch the actual files from the device, given that they are already in the possession of the URLs leading to those files (from the response collected at the previous step).
Unfortunately, there is no official fix to address the vulnerability. WD was informed on the issue in January, but the company said they wouldn’t release a patch.
The My Cloud content can be accessed from the local network when Twonky DLNA Media Server is enabled because the server does not support authentication and is broadcast to any DLNA client without any authentication mechanism.
To ensure their data remains protected, users should keep sensitive data in a Password protected My Cloud Share. They are also advised to disable Twonky DLNA Media Server for the entire My Cloud or to disable Media Serving for Shares containing sensitive data.
Instructions on how to disable Twonky DLNA Media Server are available in this knowledge base article.