The spokesperson did not address Trustwave’s larger concerns regarding outsider unauthenticated access to files with user and access restrictions.
Twonky media server wdmycloud password#
WD said that only files that reside in a “share” for which DLNA is enabled are accessible without password protection and only to users on the local network.
Twonky media server wdmycloud pro#
And that DLNA is disabled on other My Cloud Pro Series and Expert Series products by default.
The spokesperson said that DLNA is enabled by default on all My Cloud and My Cloud Mirror products. Western Digital recommends that users save their content they want protected with a password in shares for which DLNA capabilities are disabled or disable Twonky server for the entire system, which would disable only DLNA media server capabilities,” a spokesperson said. Twonky Server allows access to My Cloud users within the local network without password protection, which is common with DLNA server software. “My Cloud systems come with Twonky Server. Western Digital told Threatpost that the DLNA feature is used in conjunction with users’ media players on smartphones and TVs. If My Cloud is on a closed network or happens to be on the open internet (and the vulnerable port 9000 is open) then an attacker anywhere can access every single file on the appliance,” Karl Sigler, threat intelligence manager at Trustwave SpiderLabs, told Threatpost in an interview. You don’t have to get the credentials ahead of time. Instead, WD only recommends users turn off DLNA “if they do not wish to utilize the product feature.” Researchers said that when they disclosed to Western Digital their research the company said the insecure default settings did not warrant a fix.
“By default, unauthenticated users can grab any files from the device completely bypassing any permissions or restrictions set by the owner or administrator,” wrote Martin Rakhmanov, security research manager at Trustwave in a technical analysis of the My Cloud EX2. Researchers said the leak is due to the device’s UPnP media server that is automatically started when the device is powered on. On Wednesday, Trustwave released its findings, warning, “unfortunately the default configuration of a new My Cloud EX2 drive allows any unauthenticated local network user to grab any files from the device using HTTP requests.” If configured for remote access via the public internet, the My Cloud EX2 also leaks files via an HTTP request on port 9000, according to researchers at Trustwave who first identified the leaky port. Western Digital’s My Cloud EX2 storage devices leak files to anyone on a local network by default, no matter the permissions set by users.
0 kommentar(er)
