Western Digital My Net N600, N750, N900 and N900C - Plain text disclosure of administrative credentials

Vulnerable Products -
WD My Net N600 HD Dual Band Router Wireless N WiFi Router Accelerate HD
WD My Net N750 HD Dual Band Router Wireless N WiFi Router Accelerate HD
Linux 2.6.3 Kernel
All firmware including the latest Ver. 1.04.16

WD My Net N900 HD Dual Band Router Wireless N WiFi Router Accelerate HD
WD My Net N900 Central HD Dual Band Router 2TB Storage WiFi Wireless Router
Firmware 1.06 and below -
Version 1.07.16 released on 05/2013 fixes the bug for the N900 and N900C

Vulnerabilities -
Due to a unspecified bug in the WD My Net N600, N750, N900 and N900C
routers, administrative credentials are stored in plain text and are
easily accessible from a remote location on the WAN side of the
router.

Note: In addition, hidden elements of the administrative GUI can be
revealed on all the routers with a few trivial actions. It is not
known at this time if changes to the admin console can be successful
made through the revealed elements.

Conditions -
UPnP and remote administrative access must be enabled for the bug to
be activated.

Vendor Timeline-
Western Digital has not returned any inquires that have been made
regarding the bug.

Patches of Fixes-
On WD My Net N900 and N900C
It is advised that users upgrade to Firmware Version 1.07.16, which
fixes the bug on these two routers.

On WD My Net N600 and N750
There are no known patches or fixes available at this time.

Mitigation and Workarounds-
On N900 and N900C
Upgrade to Firmware Version 1.07.16

WD My Net N600 and N750
Turn off all remote administrative access to the router
Disable UPnP services
Change the default username and password

Discovered - 07-02-2013
Research Contact - K Lovett
Affiliation - SUSnet