Security researchers warn for 8 critical zero-days in WD TV Media Player

Posted 19 May 2017 19:10 CEST by Jan Willem Aldershoff

Security company SEC Consult warns that Western Digital’s TV Media Player contains several critical, unpatched, vulnerabilities that allow an attacker to take full control over the device. Once the device is compromised it’s even possible to take control over the network in which the device is installed. The security researchers from SEC Consult found 8 vulnerabilities in total. One allows an attacker to upload and execute files without a password, another issue is that the web server software of the Media Player is vulnerable for cross-site request forgery (CRSF). The firmware also contains the private key of the device which means all users use the same key and attackers are therefore able to decrypt all content using that key. Another security problem is that the web server runs as root and that the login page is not protected against brute-force attacks. The last vulnerability is in the used SQL Lite database that is vulnerable to SQL injections.

SEC Consult warned Western Digital on the 18th of January this year. Several days later WD responded with, “we don’t have a security department that we could forward this concern”. Eventually SEC Consult finally came in contact with someone from WD that was responsible for security, but the company didn’t release a patch. In February WD asked to delay the disclosure of the vulnerabilities with 90 days but still hasn’t released  a patch.

SEC Consult has now disclosed the vulnerabilities in a security advisory.

The vulnerabilities are confirmed to exist in Media Player 1.03.07, it’s very likely also older versions are vulnerable.



Myce.com settings

Several settings at Myce.com can be changed, they are stored in cookies, which means they will be reset if you clear Myce.com cookies

Background

Change the background to a plain color or trianglified image (similar to the default image)

No tracking features

At Myce most social media feature are done server side and impose no privacy risk to the visitor when not used. Several features use Javascript with you can turn off here

Layout

Switch to the List layout for an index with chronologycally listed news items or Grid layout for a block based layout. To see the change you need to reload the page

×