Security researchers recently reported a vulnerability in Western Digital MyBook Live network storage drives. The vulnerability allowed remote attacker to wipe the drives “thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw.”
Serious Vulnerabilities in Western Digital MyCloud Network Storage Devices
However, the researcher pointed out a “similarly serios zero-day” located in a much broader ranger of newer Western Digital MyCloud network storage devices. The scary thing is that the bug will not be fixed for many customers that can’t or won’t upgrade to the latest OS.
The flaw in question is an RCE (remote code execution) issue that resides in all Western Digital network attached devices (NAS) that run the MyCloud OS 3. This is an operating system no longer supported by the company.
“Researchers Radek Domanski and Pedro Ribeiro originally planned to present their findings at the Pwn2Own hacking competition in Tokyo last year. But just days before the event Western Digital released MyCloud OS 5, which eliminated the bug they found. That update effectively nullified their chances at competing in Pwn2Own, which requires exploits to work against the latest firmware or software supported by the targeted device,” Brian Krebs reported.
Nonetheless, few months ago the researchers published a detailed YouTube video showcasing how they discovered a chain of flaws allowing attackers to remotely update a vulnerable device’s firmware with a malicious backdoor. This was done via a low-privileged user account with a blank password.
According to the research duo, Western Digital never responded to their reports. “In a statement provided to KrebsOnSecurity, Western Digital said it received their report after Pwn2Own Tokyo 2020, but that at the time the vulnerability they reported had already been fixed by the release of My Cloud OS 5,” Brian Krebs explained.
What did Western Digital say?
It appears that they didn’t contact the researchers because they didn’t have any questions regarding the discovery. This is part of the company’s statement Krebs recently shared:
The communication that came our way confirmed the research team involved planned to release details of the vulnerability and asked us to contact them with any questions. We didn’t have any questions so we didn’t respond. Since then, we have updated our process and respond to every report in order to avoid any miscommunication like this again. We take reports from the security research community very seriously and conduct investigations as soon as we receive them.
The company strongly recommends its users to move to the My Cloud OS5 firmware. “If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5. More information can be found here.”
However, according to Domanski, users should be warned that OS 5 is a complete rewrite of Western Digital’s core operating system, meaning that some of the more popular features and functionalities built into OS3 are missing.
In response to multiple unhappy customers, Western Digital made the promise to provide data recovery services. According to Ars Technica’s Dan Goodin, “MyBook Live customers will also be eligible for a trade-in program so they can upgrade to MyCloud devices.” In addition, a Western Digital’s spokeswoman also said the data recovery service will be free of charge.