Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who can’t or won’t upgrade to the latest operating system.
At issue is a remote code execution flaw residing in all Western Digital network attached storage (NAS) devices running MyCloud OS 3, an operating system the company only recently stopped supporting.
Researchers Radek Domanski and Pedro Ribeiro originally planned to present their findings at the Pwn2Own hacking competition in Tokyo last year. But just days before the event Western Digital released MyCloud OS 5, which eliminated the bug they found. That update effectively nullified their chances at competing in Pwn2Own, which requires exploits to work against the latest firmware or software supported by the targeted device.
Nevertheless, in February 2021, the duo published this detailed YouTube video, which documents how they discovered a chain of weaknesses that allows an attacker to remotely update a vulnerable device’s firmware with a malicious backdoor — using a low-privileged user account that has a blank password.
The researchers said Western Digital never responded to their reports. In a statement provided to KrebsOnSecurity, Western Digital said it received their report after Pwn2Own Tokyo 2020, but that at the time the vulnerability they reported had already been fixed by the release of My Cloud OS 5.
“The communication that came our way confirmed the research team involved planned to release details of the vulnerability and asked us to contact them with any questions,” Western Digital said. “We didn’t have any questions so we didn’t respond. Since then, we have updated our process and respond to every report in order to avoid any miscommunication like this again. We take reports from the security research community very seriously and conduct investigations as soon as we receive them.”
Western Digital ignored questions about whether the flaw found by Domanski and Ribeiro was ever addressed in OS 3. A statement published on its support site March 12, 2021 says the company will no longer provide further security updates to the MyCloud OS 3 firmware.
“We strongly encourage moving to the My Cloud OS5 firmware,” the statement reads. “If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5. More information can be found here.” A list of MyCloud devices that can support OS 5 is here. Continue reading