Server Side Request Forgery Vulnerability in Western Digital My Cloud Devices

Vulnerability

A server-side request forgery (SSRF) vulnerability exists in Western Digital My Cloud OS 5 devices. A rogue server on the local network can modify its URL to point back to the loopback adapter (127.0.0.1), causing the My Cloud device to send a request to itself. This affects all My Cloud OS 5 devices prior to firmware version 5.26.202 [1].

Exploitation

An attacker must have a rogue server present on the same local network as the My Cloud device. The rogue server intercepts or serves a response that tricks the My Cloud OS into following a URL that points to the loopback interface (localhost). No authentication from the attacker is required, as the SSRF is triggered purely through network-level manipulation of the URL [1].

Impact

Successful exploitation allows the attacker to perform SSRF, potentially accessing services running on the local server that are normally only reachable via the loopback adapter. This could enable the attacker to exploit other vulnerabilities on the My Cloud device, potentially leading to further compromise such as information disclosure or unauthorized actions [1].

Mitigation

Western Digital released firmware version 5.26.202 on May 15, 2023, which addresses this vulnerability. All My Cloud OS 5 devices—including My Cloud PR2100, PR4100, EX4100, EX2 Ultra, Mirror G2, DL2100, DL4100, EX2100, My Cloud, and WD Cloud—must be updated to this version or later to mitigate the issue [1].