Security company SEC Consult warns that Western Digital’s TV Media Player contains several critical, unpatched, vulnerabilities that allow an attacker to take full control over the device. Once the device is compromised it’s even possible to take control over the network in which the device is installed. The security researchers from SEC Consult found 8 vulnerabilities in total. One allows an attacker to upload and execute files without a password, another issue is that the web server software of the Media Player is vulnerable for cross-site request forgery (CRSF). The firmware also contains the private key of the device which means all users use the same key and attackers are therefore able to decrypt all content using that key. Another security problem is that the web server runs as root and that the login page is not protected against brute-force attacks. The last vulnerability is in the used SQL Lite database that is vulnerable to SQL injections.
SEC Consult warned Western Digital on the 18th of January this year. Several days later WD responded with, “we don’t have a security department that we could forward this concern”. Eventually SEC Consult finally came in contact with someone from WD that was responsible for security, but the company didn’t release a patch. In February WD asked to delay the disclosure of the vulnerabilities with 90 days but still hasn’t released a patch.
SEC Consult has now disclosed the vulnerabilities in a security advisory.
The vulnerabilities are confirmed to exist in Media Player 1.03.07, it’s very likely also older versions are vulnerable.