Another WD exploit surfaces, allows remote install of modified NAS firmware

Modified firmware could allow attackers to execute commands, brick devices or worse

Western Digital just can’t catch a break.

Yet another security flaw has surfaced for WD NAS (network-attached storage) owners. This time around, the flaw impacts My Cloud OS 3 devices. It allows malicious actors to access a device and install modified firmware capable of executing commands, bricking the device or worse.

Security researchers Pedro Ribeiro and Radek Domanski (via KrebsOnSecurity) detailed the vulnerability and remotely updating WD NAS devices with modified firmware in a video.

Typically, firmware updates are only accessible to authenticated users. However, the researchers found that the NAS seems to have a user on it with a blank password, which in some cases allowed the researchers to authenticate and install the modified firmware.

Worse, WD’s advice on the matter is basically to update to My Cloud OS 5 or buy a device with My Cloud OS 5. The company describes My Cloud OS 5 as a “major and fundamental security release” that revamps the architecture of My Cloud firmware and defends against “common classes of attacks.”

Even if My Cloud OS 5 is as secure as WD claims, it’s not exactly an option for all users. For one, many have avoided updating to My Cloud OS 5 because it lacks several features and functions from My Cloud OS 3. For others, the My Cloud OS 5 update isn’t available for their device (you can find a full list of supported devices here). Others have encountered difficulties performing the upgrade, while some people just may not have the money or time to switch their WD NAS.

Unfortunately, WD has also made it clear it doesn’t plan to update My Cloud OS 3 with security patches, which leaves many NAS owners stuck.

Ultimately, it’s a messy situation. For those stuck with a MyCloud OS 3 device, either because they can’t update, won’t update or can’t upgrade, there’s basically one solution WD has offered: disable the remote dashboard access. WD gave the advice in a statement to Comparitech last year, along with a link to instructions for doing so.

If you can afford to upgrade to a new NAS, that may be the best course of action. Plus, it’d give you a chance to move away from WD, which has had a string of recent security issues related to its storage solutions.

Source: KrebsOnSecurity, Comparitech Via: The Verge

Related Articles