Another 0-Day Vulnerability Threatens Many Western Digital Users

image

Last month, due to a bug in a product line that the company stopped supporting in 2015, as well as a previously unknown zero-day vulnerability, countless buyers Western digital lost data on NAS MyBook Live… But similar serious zero-day vulnerabilities are present in much more newer Western Digital NAS. MyCloud… They are not eliminated from those buyers who are unable or unwilling to update to the latest version of the operating system.

The problem with remote code execution is inherent in all Western Digital NAS devices with an operating system. MyCloud OS 3, which the company stopped supporting only recently.

Researchers Radek Domanski and Pedro Ribeiro originally planned to share their discoveries last year at hacking competition Pwn2Own in Tokyo… But a few days before the event, Western Digital released MyCloud OS 5, in which the bug they found was fixed. This update essentially destroyed their chances of competing in Pwn2Own, as participation requires exploits to work against the latest firmware or software supported by the target device.

However, in February 2021, this pair of researchers published on YouTube detailed video, which documents the process of discovering a chain of weaknesses, allowing an attacker to remotely update the firmware of a vulnerable device with a malicious backdoor using a user account with low privileges and an empty password.

The researchers said Western Digital never responded to their reports. In a statement to the KrebsOnSecurity website, Western Digital said it received their report after Pwn2Own Tokyo 2020, but at that time the vulnerability reported in the report had already been addressed with the release of My Cloud OS 5.

“Correspondence sent to us confirmed that the research team plans to publish the details of this vulnerability and asks to contact it if we have questions,” – said Western Digital. “But we didn’t have any questions, so we didn’t answer. Since then, we have changed the communication process and began to respond to each report in order to avoid similar misunderstandings in the future. We take reports from the security research community very seriously and investigate them as soon as we receive them. “

Western Digital ignored questions about whether OS 3 resolved the problems found by Domanski and Ribeiro. In a statement published on the company’s website on March 12, 2021, it is said that the company will no longer develop security updates for the MyCloud OS 3 firmware

“We highly recommend upgrading to My Cloud OS5 firmware,” the statement reads. “If your device cannot be upgraded to My Cloud OS 5, we recommend that you upgrade to another My Cloud product that supports My Cloud OS 5. For more information, see here“. For a list of MyCloud devices that can support OS 5, see here

But according to Domanski, OS 5 is a completely rewritten Western Digital operating system, which is why it lacks some of the most popular features and functions of OS3.

“They broke most of the functionality, so some users may not be able to decide to migrate to OS 5.”

With this in mind, the researchers developed and released their own patchthat eliminates the vulnerabilities they found in OS 3 (the patch must be reinstalled every time the device is restarted). Western Digital said it is aware that third-party vendors are offering security patches for My Cloud OS 3.

“We have not tested any of these patches and cannot provide support for them,” the company said.

image
An excerpt from a video demonstrating how researchers remotely upload their malicious firmware through a zero-day vulnerability in MyCloud OS 3.

Domanski argues that MyCloud OS 3 users can virtually eliminate the threat of this attack by making sure that devices cannot be accessed remotely over the Internet. MyCloud devices make it very easy for shoppers to access data remotely, but at the same time it exposes them to the risk of attacks like last month.

“Fortunately, many users do not expose their interface to the Internet. But given the number of posts on the Western Digital support page related to OS3, it can be assumed that the user base of such devices is still significant. It seems like Western Digital has moved abruptly to OS5 without warning, leaving all users without support. “

Dan Goodin of Ars Technica wrote amazing deep view another zero-day vulnerability that led to a massive attack on MyBook Live devices that Western Digital stopped supporting in 2015. In response to Goodin’s article, Western Digital acknowledged that the vulnerability arose because a Western Digital developer removed a code that requires a user password to perform a factory reset.

Faced with criticism from angry users, Western Digital also undertook starting this month, provide data recovery services to those affected by this problem. “In addition, MyBook Live customers will be able to participate in the trade-in program to upgrade their MyCloud devices. A company spokeswoman said that data recovery services will be free, ”wrote Goodin.

If attackers can exploit this OS 3 bug, then Western Digital may soon have to provide data recovery services and trade-in programs to a much larger number of customers.

Advertising

VDS with NVMe storage – this is about virtual servers from our company.
For a long time we have been using exclusively fast server drives from Intel, we do not save on hardware, only branded equipment and some of the best data centers in Russia and the EU. Hurry up to check;)

Subscribe to our chat in Telegram

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *