WD’s My Cloud EX2 can provide access to media files even without permissions, a security vendor warns.
Many network attached device (NAS) appliances offer a media server, so audio, video and image files can be accessed over the network by computers, smart TVs, smartphones and other devices.
However, the WD My Cloud EX2’s media server can provide access to those files even when a user shouldn’t have permission to access them, according to Trustwave.
The problem with the My Cloud EX2 lies in its UPnP/DLNA media server capability, which is enabled by default, according to Trustwave's SpiderLabs team.
When asked for a list of all the files on the device, that's what it delivers – regardless of access controls, Trustwave warns. Furthermore, that list can be used to craft an HTTP request for any of the files, which is processed by the media server without reference to the file's permissions. This bypasses the access controls completely, so any user with the right knowledge (or armed with a fairly simple program) could download files from the NAS appliance.
According to Trustwave, WD was notified of the problem but does not intend to make any changes, instead recommending that customers disable the DLNA media server feature.
“DLNA/UPnP doesn’t offer support for authentication or access control as a feature of the protocol itself,” SpiderLabs threat intelligence manager Karl Sigler told Business IT.
“This may be conjecture as I don’t know the specific code or engineering of the MyCloud device, but I believe that limiting DLNA server access to a specific folder or section of the device (perhaps a folder titled “Public Media”) should be possible [for WD]. This would help users understand that those files are not protected by the permissions or user accounts, while still providing protection for other files on the device.”
The default folder structure on an EX2 includes a top-level folder called “Public” which contains “Shared Music”, “Shared Pictures” and “Shared Videos”. There is no indication or warning that the DLNA media server accesses files in other folders, let alone that this happens regardless of the files' assigned permissions, Trustwave says.
The security vendor has provided a Python script that can be used to test other devices.
UPDATE: We have now heard from a WD spokesperson, who pointed out that access control for My Cloud's media server (Twonky) “allows access to My Cloud users within the local network without password protection, which is common with any DLNA server software.”
That's certainly true: one of the ideas behind DLNA is to make media content easily accessible to local users.
But contrary to Trustwave's advice, My Cloud does provide control over which files are available to DLNA clients. This is done at the share level, the spokesperson explained, not at the level of individual files or folders.
So if that “Public” folder is shared and media serving is active for that share, all media files within “Public” and its subdirectories are available via DLNA.
“Western Digital recommends that users save their content they want protected with a password in shares for which DLNA capabilities are disabled; or disable Twonky server for the entire system, " the spokesperson said.
Anyway, it seems that My Cloud owners would be well advised to disable the DLNA server completely if they aren't using it – disabling unwanted services is a basic precaution. But if they are using DLNA, it seems wise to take a minute or two to check that media serving is only enabled for the appropriate share(s), and that they don't contain any sensitive files.