CVE-2018-17153

{"id": "CVE-2018-17153", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 10.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "acInsufInfo": false, "impactScore": 10.0, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2018-09-18T15:29:00.307", "references": [{"url": "http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html", "source": "cve@mitre.org"}, {"url": "http://www.securityfocus.com/bid/105359", "tags": ["Third Party Advisory", "VDB Entry"], "source": "cve@mitre.org"}, {"url": "https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://support.wdc.com/knowledgebase/answer.aspx?ID=25952", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://packetstormsecurity.com/files/173802/Western-Digital-MyCloud-Unauthenticated-Command-Injection.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/105359", "tags": ["Third Party Advisory", "VDB Entry"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://securify.nl/nl/advisory/SFY20180102/authentication-bypass-vulnerability-in-western-digital-my-cloud-allows-escalation-to-admin-privileges.html", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://support.wdc.com/knowledgebase/answer.aspx?ID=25952", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "It was discovered that the Western Digital My Cloud device before 2.30.196 is affected by an authentication bypass vulnerability. An unauthenticated attacker can exploit this vulnerability to authenticate as an admin user without needing to provide a password, thereby gaining full control of the device. (Whenever an admin logs into My Cloud, a server-side session is created that is bound to the user's IP address. After the session is created, it is possible to call authenticated CGI modules by sending the cookie username=admin in the HTTP request. The invoked CGI will check if a valid session is present and bound to the user's IP address.) It was found that it is possible for an unauthenticated attacker to create a valid session without a login. The network_mgr.cgi CGI module contains a command called \"cgi_get_ipv6\" that starts an admin session -- tied to the IP address of the user making the request -- if the additional parameter \"flag\" with the value \"1\" is provided. Subsequent invocation of commands that would normally require admin privileges now succeed if an attacker sets the username=admin cookie."}, {"lang": "es", "value": "Se ha descubierto que el dispositivo Western Digital My Cloud hasta las versiones 2.30.x se ve afectado por una vulnerabilidad de omisi\u00f3n de autenticaci\u00f3n. Un atacante no autenticado puede explotar esta vulnerabilidad para autenticarse como usuario administrador sin necesitar proporcionar una contrase\u00f1a, obteniendo as\u00ed el control total del dispositivo. (Cuando un administrador inicia sesi\u00f3n en My Cloud, se crea una sesi\u00f3n del lado del servidor que est\u00e1 conectado a la direcci\u00f3n IP del usuario. Tras crear la sesi\u00f3n, es posible llamar a m\u00f3dulos CGI autenticados mediante el env\u00edo de la cookie username=admin en la petici\u00f3n HTTP. El CGI invocado comprobar\u00e1 si hay una sesi\u00f3n v\u00e1lida presente y la conectar\u00e1 con la IP del usuario). Se ha descubierto que es posible para un atacante no autenticado crear una sesi\u00f3n v\u00e1lida sin iniciar sesi\u00f3n. El m\u00f3dulo CGI network_mgr.cgi contiene un comando llamado \"cgi_get_ipv6\" que inicia una sesi\u00f3n de administrador (enlazada con la direcci\u00f3n IP del usuario que realiza la petici\u00f3n) si se proporciona el par\u00e1metro adicional \"flag\" con el valor \"1\". La invocaci\u00f3n subsecuente de comandos que normalmente requerir\u00edan privilegios de administrador tendr\u00eda \u00e9xito ahora si el atacante establece la cookie username=admin."}], "lastModified": "2024-11-21T03:53:58.427", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:western_digital:my_cloud_wdbctl0020hwt_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "72826ADF-89BA-4C0B-B309-7B4D1D522EEF", "versionEndExcluding": "2.30.196"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:western_digital:my_cloud_wdbctl0020hwt:*:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F69232FE-B692-4334-A06D-11023EE27D75"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:western_digital:my_cloud_pr4100:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7AA6C98B-CD5F-40ED-A831-4F1927012950", "versionEndExcluding": "2.30.196"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:western_digital:my_cloud_pr4100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1DF44A0E-2B7A-4525-BC0A-7C56271655B0"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:western_digital:my_cloud_pr2100_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF9FFCC4-7C24-4C03-B522-BE083E5F0303", "versionEndExcluding": "2.30.196"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:western_digital:my_cloud_pr2100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F19BE2A1-CA04-4815-AC90-228292E900AA"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:western_digital:my_cloud_mirror_gen_2_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "78A51BAB-2107-4ABB-B3EB-F74F1661F779", "versionEndExcluding": "2.30.196"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:western_digital:my_cloud_mirror_gen_2:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "59E4EF23-60FE-43D4-9637-21977089B91E"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:western_digital:my_cloud_mirror_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F1A0D86-EE7A-427E-9A1A-909C9FB8DD7E", "versionEndExcluding": "2.30.196"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:western_digital:my_cloud_mirror:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "59F71114-72DC-4615-9F81-474F3B12EA36"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:western_digital:my_cloud_ex4100:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "450B318F-4731-44B2-92B9-E609DAF5D36D", "versionEndExcluding": "2.30.196"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:western_digital:my_cloud_ex4100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "74DAD0B3-E596-46F3-81EB-DE4D9BC8C8F4"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:western_digital:my_cloud_ex4_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "614A2E24-88A4-4C61-A05F-63B7EE3425FD", "versionEndExcluding": "2.30.196"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:western_digital:my_cloud_ex4:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "DAAFE67F-96B1-41E7-AC44-6EF652F2E206"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:western_digital:my_cloud_ex2100_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36E6F9E3-F0AE-46D9-A503-6B72B78676B7", "versionEndExcluding": "2.30.196"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:western_digital:my_cloud_ex2100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "62E9610C-43A8-483A-BB7B-789C25AA97A8"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:western_digital:my_cloud_ex2_ultra_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A1C4B10-0193-4D81-A43F-4B6D45918E01", "versionEndExcluding": "2.30.196"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:western_digital:my_cloud_ex2_ultra:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "F7BD0108-A509-4F54-86D5-5471D079D280"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:western_digital:my_cloud_ex2_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F9D0E860-8524-4494-B18A-45D79A17054B", "versionEndExcluding": "2.30.196"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:western_digital:my_cloud_ex2:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1A245E9A-CB59-4B34-BB54-3DDAAB556E72"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:western_digital:my_cloud_dl4100_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D1CAC50A-30D0-4D67-AC01-1CFD102F4A07", "versionEndExcluding": "2.30.196"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:western_digital:my_cloud_dl4100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "64C352EC-57F1-4DE0-A160-605277F01543"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:western_digital:my_cloud_dl2100:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "981FA25E-7FF4-449D-9A29-CAED094625E8", "versionEndExcluding": "2.30.196"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:western_digital:my_cloud_dl2100:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "64EA309B-4692-43E7-B493-9E1DBD3C7E3B"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}