CVE-2019-9950

Name of the Vulnerable Software and Affected Versions Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 versions prior to 2.31.174

Description The issue allows for an authentication bypass. It is related to the login mgr.cgi file, which checks credentials against /etc/shadow. However, the nobody account has a default empty password. This allows an attacker to access the control panel API as a low-privilege logged-in user, modify the My Cloud EX2 Ultra web page source code, and obtain access to the My Cloud as a non-Admin My Cloud device user.

Recommendations For versions prior to 2.31.174, update the firmware to version 2.31.174 or later to resolve the issue. As a temporary workaround, consider changing the default empty password of the nobody account to prevent unauthorized access. Restrict access to the control panel API to minimize the risk of exploitation. Avoid using the default nobody account for accessing the control panel API until the issue is resolved.