CVE-2018-17153

Name of the Vulnerable Software and Affected Versions Western Digital My Cloud versions prior to 2.30.196

Description The issue allows an unauthenticated attacker to bypass authentication and gain full control of the device by exploiting a vulnerability in the authentication mechanism. Specifically, the network mgr.cgi CGI module contains a command called "cgi get ipv6" that can start an admin session tied to the user's IP address if a certain parameter is provided. This enables an attacker to invoke commands that normally require admin privileges without needing to provide a password. The vulnerability exploits the way server-side sessions are created and bound to a user's IP address when an admin logs in.

Recommendations For versions prior to 2.30.196, update to version 2.30.196 or later to resolve the issue. As a temporary workaround, consider restricting access to the network mgr.cgi CGI module to minimize the risk of exploitation. Avoid using the cgi get ipv6 command with the flag parameter set to 1 until the issue is resolved.