Western Digital My Cloud NAS Devices Contain Multiple Vulnerabilities
It’s 2018, but it feels like 2008. I often reflect on how relatively simplistic the attack surface of nearly everything was just 10 years ago, and how much we’ve evolved since then. I remember writing exploits for trivial buffer overflows without having to deal with exception handling, address randomization, stack and heap execution protections, and many other significant enhancements to operating systems, browsers and software in general. As the years passed, we started to see software vendors making tangible progress in the areas of secure coding and vulnerability mitigations. The most popular exploits tended to be in the browser space, and as such we saw an increasingly rapid response from browser vendors over the years as they struggled to gain or maintain market share in an aggressively contested market. With the evolution of sandboxing and containerization, popular browsers such as Internet Explorer and Chrome began to raise the bar on what it took to execute malicious code. Bypass mitigations, such as MemGC in the Microsoft Edge browser were implemented to reduce the number of trivial use-after-free vulnerabilities. Operating systems have been hardened with new features such as VBS in Windows 10 (no not Visual Basic Scripting) to provide virtualization-based security for protection of critical systems and data. It would be great if I could just end this discussion here, and we could all go home feeling great about the future of information security. Unfortunately, not everyone is aboard this train. Specifically, device manufacturers continue to deprioritize the necessity of secure code in order to get faster, larger and more feature-rich products to market quickly.
Western Digital is by no means any worse an offender in this area than others, but after reading the latest vulnerability disclosures in its ubiquitous network storage device known as My Cloud, I felt it was necessary to provide some basic insight to the industry about the implications and effects of insecure software development. The principal problem is not that these devices contain vulnerabilities; even software vendors such as Apple, which pours millions of dollars and dedicated security teams into securing its operating system, have been bitten (pun intended) by asinine security flaws. The High Sierra empty password root authentication bypass is a good example of this.
No, the problem lies in the complete lack of interest in developing secure code. Even someone with zero software development experience could probably look at the following code and see the issue; spoiler alert, it’s a classic backdoor:
It leads me to ask the simple question – how are hardcoded backdoors still a thing? Even if you can get past the myriad of early-millennium-style vulnerabilities reported in this disclosure, why won’t device manufacturers make the relatively small investment to review the code of the products they are selling worldwide? Automated tools exist for this, and even a junior-level security practitioner could likely uncover some of these flaws. Every year brings another collection of similar disclosures, yet the bar stays the same. Simple format string abuse, rudimentary authentication bypasses, command injections and buffer overflows just to name a few. Of equal importance, beyond simple coding errors, is that the basic concept of designing in a backdoor or adding one to an existing design is a well-known mistake. Resources such as IEEE’s Center For Secure Design’s “Avoiding the Top 10 Security Design Flaws” have been readily available for years.
I think a big part of the problem is the sheer noise. You’d be hard pressed to find a software or device manufacturer out there who hasn’t been exposed to some negative press based on vulnerabilities reported in its products. After enough exposure, consumers subconsciously begin to tune this noise out and it becomes the de facto standard for the products they buy; a “tax”, if you will, where they carry much of the risk, in this case the potential theft of personal data and privacy.
It begs the question of what can be done to improve this process and move the industry as a whole towards better security practices. We’d like to challenge vendors to invest in secure development, code review and patching and mitigation strategies. At McAfee, we try our best to practice what we preach. We’ve made our own mistakes, and we’ve adapted from those experiences in an ongoing effort to fundamentally improve the way we build products. It’s also time that consumers demand more from vendors; ultimately, the consumer carries the most significant tool of all, your decision about which products you buy and your mandate for security accountability. Within McAfee’s Advanced Threat Research team, we firmly believe in the process of responsible disclosure and the openness of the research community in finding and reporting similar issues. Whenever possible, we will continue to work directly with vendors who answer this call, in order to find and effectively eliminate vulnerabilities through the disclosure process.
Devices such as Western Digital’s My Cloud may fall under the purview of a consumer economy that pushes for cheaper technology with an abstract expectation of “security”. Still, software security is at the point where the “rubber meets the road”, where theory turns into practice which in turn is delivered in the devices that we use and hope we can trust. Only with increased visibility and a shared set of priorities can we make hardcoded backdoors and other trivial security flaws truly, a thing of the past.