WD ShareSpace WEB GUI Sensitive Data Disclosure

SEC Consult Vulnerability Lab Security Advisory < 20120618-0 >

=======================================================================

title: WD ShareSpace WEB GUI Sensitive Data Disclosure

product: WD ShareSpace network storage system

vulnerable version: WD ShareSpace <= v2.3.02 (D and E series)

fixed version: none

impact: High

homepage: support.wdc.com/product/download.asp

found: 2012-01-31

by: V. Paulikas

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

 

Vendor description:

-------------------

WD ShareSpace is high-speed network-attached storage system with capacities up

to 8 TB and a space-saving footprint gives you all the benefits of a big time

data center without the need for a big time IT department. Perfect for

centralizing and sharing data and multimedia files on a small office or home

network.

 

Source: www.wdc.com/wdproducts/library/AAG/ENG/4178-705023.pdf

 

 

 

Vulnerability overview/description:

-----------------------------------

WD ShareSpace network storage system has a built-in WEB GUI that is used to

administer the ShareSpace device. The built-in WEB GUI is prone to a sensitive

data disclosure due to an improper configuration of access rights of the

configuration file config.xml. By directly accessing the config.xml file

without authentication it is possible to obtain system's configuration data,

which includes network settings, shared folder names, SMB users and hashed

passwords, administrator's credentials, etc.

 

 

Proof of concept:

-----------------

The vulnerability is exploited by accessing the config.xml file directly with

a browser.

 

PoC URL has been removed as no vendor patch is available.

 

 

Vulnerable / tested versions:

-----------------------------

WD ShareSpace v2.3.01

 

 

 

Vendor contact timeline:

------------------------

2012-02-17: Contacting vendor through help center (http://wdc.custhelp.com/app/ask/).

2012-02-24: Vendor response, issue is being forwarded to the

appropriate product development team (Level 2 team as by WD) for

review and confirmation. Case 120217-002268 opened.

2012-03-02: Vendor response, issue has been reviewed, additional information

required.

2012-03-07: Providing additional information regarding the vulnerability.

2012-03-12: Vendor response, vulnerability escalated to their engineering team

to verify and fix if possible.

2012-04-19: Asking if the vulnerability was fixed because of long response time.

2012-04-24: Vendor response, vulnerability not resolved.

2012-05-03: Vendor response, firmware update available, not related to

vulnerability

2012-05-07: Asking vendor to recheck if firmware update really solves the

problem.

2012-05-09: Vendor confirms, that the new firmware does not solve the problem.

2012-05-10: Asking vendor for more indepth research of the issue

2012-05-15: Vendor confirms the issue: ShareSpace running firmware version

2.3.02 (D and E series) is affected.

Vendor disagrees that it's a security vulnerability.

2012-05-31: Informing vendor about the release of the advisory on 2012-06-18.

No answer.

2012-06-11: Informing vendor once more about the release of advisory on 2012-06-18.

No answer.

2012-06-18: No further response from vendor. Advisory published according to

the SEC Consult's responsible disclosure policy.

 

 

 

Solution:

---------

No patch available.

 

 

Workaround:

-----------

Allow access to the administrative interface only from trusted networks.

 

 

 

Advisory URL:

-------------

www.sec-consult.com/en/advisories.html

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Unternehmensberatung GmbH

 

Office Vienna

Mooslackengasse 17

A-1190 Vienna

Austria

 

Tel.: +43 / 1 / 890 30 43 - 0

Fax.: +43 / 1 / 890 30 43 - 25

Mail: research at sec-consult dot com

www.sec-consult.com

 

EOF V. Paulikas / @2012