![]() ![]() If upgrading from a previous version of Twonky Get latest version: (for DNS320 use Kuro Box Pro) the default UPnP service on the 320 is shockingly poor, Twonky is the best replacement Ive found although does require a license. It recommends turning off DLNA to protect user data.Mainly for my own poor memory but also for anyone else that stumbles upon them. Trustwave said they found the vulnerability on January 26. Other flaws found by Trustwave, Trendmicro and others have included cross-site request forgery, command injection, denial of service, and information disclosure. GulfTech also discovered a backdoor that included the device’s hardcoded admin credentials. In January, researchers at GulfTech found a backdoor vulnerability that allowed remote attackers to send a post request to a vulnerable WD NAS, enabling them to upload an arbitrary file to the server running on the vulnerable storage devices. The company has patched several critical security bugs in its My Cloud network storage devices, the most serious of which allowing remote attackers to gain unrestricted root access to the device. WD is no stranger to vulnerabilities found in its NAS products. That is something new specific to this device.” By knowing how the traffic works with the My Cloud (EX2) appliance, you can actually get it to feed you any file on the device, regardless of the permissions. ![]() “It doesn’t matter that you can set permissions and credentials on the My Cloud EX2 to make sure that your children’s photos are locked down and only available to somebody that’s actually authenticated with the device. Next, the attacker uses subsequent HTTP requests to fetch actual files from the device using URLs from the response collected, he said. The UPnP server will respond with a list of files on the device. “The request should contain XML with Browse action in it,” Sigler said. Sigler said the Trustwave proof-of-concept attack involves an adversary issuing an HTTP request to port 9000 asking for the “TMSContentDirectory/Control” resource. “If you’re going to provide a NAS that actually provides authentication and access controls for users it just doesn’t make sense from a security perspective to implement this type of wonky DLNA component,” Sigler said. The spokesperson did not address Trustwave’s larger concerns regarding outsider unauthenticated access to files with user and access restrictions. WD said that only files that reside in a “share” for which DLNA is enabled are accessible without password protection and only to users on the local network. And that DLNA is disabled on other My Cloud Pro Series and Expert Series products by default. The spokesperson said that DLNA is enabled by default on all My Cloud and My Cloud Mirror products. Western Digital recommends that users save their content they want protected with a password in shares for which DLNA capabilities are disabled or disable Twonky server for the entire system, which would disable only DLNA media server capabilities,” a spokesperson said. Twonky Server allows access to My Cloud users within the local network without password protection, which is common with DLNA server software. “My Cloud systems come with Twonky Server. Western Digital told Threatpost that the DLNA feature is used in conjunction with users’ media players on smartphones and TVs. If My Cloud is on a closed network or happens to be on the open internet (and the vulnerable port 9000 is open) then an attacker anywhere can access every single file on the appliance,” Karl Sigler, threat intelligence manager at Trustwave SpiderLabs, told Threatpost in an interview. You don’t have to get the credentials ahead of time. Instead, WD only recommends users turn off DLNA “if they do not wish to utilize the product feature.” Researchers said that when they disclosed to Western Digital their research the company said the insecure default settings did not warrant a fix. “By default, unauthenticated users can grab any files from the device completely bypassing any permissions or restrictions set by the owner or administrator,” wrote Martin Rakhmanov, security research manager at Trustwave in a technical analysis of the My Cloud EX2. Researchers said the leak is due to the device’s UPnP media server that is automatically started when the device is powered on. On Wednesday, Trustwave released its findings, warning, “unfortunately the default configuration of a new My Cloud EX2 drive allows any unauthenticated local network user to grab any files from the device using HTTP requests.” If configured for remote access via the public internet, the My Cloud EX2 also leaks files via an HTTP request on port 9000, according to researchers at Trustwave who first identified the leaky port. Western Digital’s My Cloud EX2 storage devices leak files to anyone on a local network by default, no matter the permissions set by users.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |