Numerous Western Digital prospects noticed their MyBook Dwell community storage drives remotely wiped up to now month because of a bug in a product line the corporate stopped supporting in 2015, in addition to a beforehand unknown zero-day flaw. However there’s a equally severe zero-day flaw current in a much wider vary of newer Western Digital MyCloud community storage units that can stay unfixed for a lot of prospects who can’t or received’t improve to the most recent working system.
At challenge is a distant code execution flaw residing in all Western Digital community hooked up storage (NAS) units working MyCloud OS three, an working system the corporate solely not too long ago stopped supporting.
Researchers Radek Domanski and Pedro Ribeiro initially deliberate to current their findings on the Pwn2Own hacking competition in Tokyo final yr. However simply days earlier than the occasion Western Digital launched MyCloud OS 5, which eradicated the bug they discovered. That replace successfully nullified their probabilities at competing in Pwn2Own, which requires exploits to work in opposition to the most recent firmware or software program supported by the focused system.
However, in February 2021, the duo printed this detailed YouTube video, which paperwork how they found a sequence of weaknesses that permits an attacker to remotely replace a susceptible system’s firmware with a malicious backdoor — utilizing a low-privileged person account that has a clean password.
The researchers stated Western Digital by no means responded to their stories. In a press release supplied to KrebsOnSecurity, Western Digital stated it acquired their report after Pwn2Own Tokyo 2020, however that on the time the vulnerability they reported had already been fastened by the discharge of My Cloud OS 5.
“The communication that got here our means confirmed the analysis staff concerned deliberate to launch particulars of the vulnerability and requested us to contact them with any questions,” Western Digital stated. “We didn’t have any questions so we didn’t reply. Since then, we now have up to date our course of and reply to each report with the intention to keep away from any miscommunication like this once more. We take stories from the safety analysis group very critically and conduct investigations as quickly as we obtain them.”
Western Digital ignored questions on whether or not the flaw discovered by Domanski and Ribeiro was ever addressed in OS three. An announcement printed on its help web site March 12, 2021 says the corporate will no longer provide further security updates to the MyCloud OS 3 firmware.
“We strongly encourage transferring to the My Cloud OS5 firmware,” the assertion reads. “In case your system shouldn’t be eligible for improve to My Cloud OS 5, we advocate that you just improve to one in all our different My Cloud choices that help My Cloud OS 5. Extra info may be discovered here.” An inventory of MyCloud units that may help OS 5 is here.
However based on Domanski, OS 5 is a whole rewrite of Western Digital’s core working system, and because of this a number of the extra widespread options and performance constructed into OS3 are lacking.
“It broke a whole lot of performance,” Domanski stated of OS 5. “So some customers won’t determine emigrate to OS 5.”
In recognition of this, the researchers have developed and released their own patch that fixes the vulnerabilities they present in OS three (the patch must be reapplied every time the system is rebooted). Western Digital stated it’s conscious of third events providing safety patches for My Cloud OS three.
“We now have not evaluated any such patches and we’re unable to supply any help for such patches,” the corporate acknowledged.
Domanski stated MyCloud customers on OS three can nearly get rid of the menace from this assault by merely making certain that the units usually are not set as much as be reachable remotely over the Web. MyCloud units make it tremendous straightforward for purchasers to entry their knowledge remotely, however doing so additionally exposes them to assaults like final month’s that led to the mass-wipe of MyBook Dwell units.
“Fortunately for a lot of customers they don’t expose the interface to the Web,” he stated. “However wanting on the variety of posts on Western Digital’s help web page associated to OS3, I can assume the userbase remains to be appreciable. It virtually appears like Western Digital with none discover jumped to OS5, leaving all of the customers with out help.”
Dan Goodin at Ars Technica has a fascinating deep dive on the opposite zero-day flaw that led to the mass assault final month on MyBook Dwell units that Western Digital stopped supporting in 2015. In response to Goodin’s report, Western Digital acknowledged that the flaw was enabled by a Western Digital developer who eliminated code that required a sound person password earlier than permitting manufacturing facility resets to proceed.
Dealing with a backlash of offended prospects, Western Digital additionally pledged to supply knowledge restoration providers to affected prospects beginning this month. “MyBook Dwell prospects can even be eligible for a trade-in program to allow them to improve to MyCloud units,” Goodin wrote. “A spokeswoman stated the information restoration service shall be freed from cost.”
If attackers get round to exploiting this OS three bug, Western Digital would possibly quickly be paying for knowledge restoration providers and trade-ins for an entire lot extra prospects.