Another 0-day loom for many western digital users – Krebs on Security


Some of Western Digital’s MyCloud-based data storage devices. Image: WD.

Countless Western Digital Customers saw theirs MyBook Live Network storage drives were remotely wiped last month due to a bug in a line of products the company no longer supported in 2015, as well as a previously unknown zero-day bug. But there is a similarly fatal zero-day bug in a much wider range of newer Western Digital My cloud Network storage devices that cannot or will not be repaired for many customers who cannot or will not upgrade to the latest operating system.

It is a remote code execution bug that resides in all Western Digital Network Attached Storage (NAS) devices that are running My cloud Operating system 3, an operating system that the company only recently stopped supporting.

Researcher Radek Domanski and Pedro Ribeiro originally planned to showcase their results at the Pwn2Own hacking competition in Tokyo last year. But just a few days before the Western Digital event launches MyCloud OS 5which fixed the error found. This update effectively destroyed their chances of competing at Pwn2Own, which requires exploits to work against the latest firmware or software supported by the target device.

Still, in February 2021, the duo released this detailed February YouTube video that documents how they discovered a chain of vulnerabilities that allow an attacker to remotely update the firmware of a vulnerable device with a malicious backdoor – with a user account with low permissions an empty password.

The researchers said Western Digital never responded to their reports. In a statement sent to KrebsOnSecurity, Western Digital said it had received its report after Pwn2Own Tokyo 2020, but that the reported vulnerability had already been fixed by the release of My Cloud OS 5 at the time.

“The notice we received confirmed that the research team involved had planned to release details of the vulnerability and asked us to contact them with any questions,” said Western Digital. “We didn’t have any questions, so we didn’t answer. Since then we have updated our process and respond to every report in order to avoid such misunderstandings again. We take reports from the security research community very seriously and investigate as soon as we receive them. “

Western Digital ignored questions about whether the bug found by Domanski and Ribeiro was ever fixed in OS 3. A statement posted on its support site on March 12, 2021 said the company will no longer provide security updates to the MyCloud OS 3 firmware.

“We strongly recommend upgrading to the My Cloud OS5 firmware,” the statement said. “If your device is not eligible for an upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5. You can find more information here. ”A list of MyCloud devices that can support OS 5 can be found here.

But, according to Domanski, OS 5 is a complete rewrite of Western Digital’s core operating system, and therefore lacks some of the more popular features and functionality built into OS3.

“It broke a lot of functionality,” Domanski said of OS 5. “As a result, some users may not choose to migrate to OS 5.”

For this reason, the researchers have developed and published their own patch that fixes the vulnerabilities found in OS 3 (the patch must be reapplied every time the device is restarted). Western Digital announces that third-party vendors are offering security patches for My Cloud OS 3.

“We have not evaluated such patches and cannot provide support for such patches,” said the company.

A clip from the video showing how researchers upload their malicious firmware to MyCloud OS 3 via a remote zero-day bug.

Domanski said that MyCloud users on OS 3 can virtually eliminate the threat posed by this attack by simply making sure the devices are not set up to be remotely accessible over the internet. MyCloud devices make it super easy for customers to access their data remotely, but they also expose them to attacks like last month that resulted in the mass deletion of MyBook Live devices.

“Fortunately, many users don’t provide the interface to the Internet,” he said. “But if you look at the number of posts on the Western Digital support page for OS3, I can assume that the user base is still sizeable. It almost feels like Western Digital jumped to OS5 without notice, leaving all users with no support. “

Dan Goodin at the Ars Technica has an intriguing in-depth look at the other zero-day bug that last month led to the mass attack on MyBook Live devices that Western Digital no longer supported in 2015. In response to Goodin’s report, Western Digital admitted that the bug was caused by a Western Digital developer who removed code that required a valid user password before the factory reset could proceed.

In light of a backlash from disgruntled customers, Western Digital also promised to offer data recovery services to affected customers starting this month. “MyBook Live customers are also eligible for a trade-in program so they can upgrade to MyCloud devices,” Goodin wrote. “A spokeswoman said the data recovery service will be free.”

If attackers manage to exploit this OS-3 bug, Western Digital could soon pay for data recovery services and trade-ins for many more customers.


About Author

Leave A Reply