There’s a new zero-day and more potential trouble for WD NAS users.
A new bug has been reported by researchers Radek Domanski and Pedro Ribeiro that plagues Western Digital users who fail to upgrade their My Cloud storage devices.
This comes shortly after a big surprise for WD users when they learned about the failure of their My Cloud storage devices last month, which had many customers lose their data. Later, it turned out the latest firmware for the My Book Live devices had a zero-day bug that allowed an attacker to execute factory resets on Internet-connected My Books.
The latest zero-day exploit introduces a method that allows an unauthenticated attacker to execute code on a secured network-attached storage device (NAS) as root and install a permanent backdoor.
It affects all Western Digital NAS devices that use My Cloud 3 operating system. According to researchers, the OS is “in limbo” after the company stopped supporting it.
Western Digital has released an update in its My Cloud OS 5, which fixed the bug that could have allowed remote attackers to execute arbitrary code. However, the researchers who discovered the flaw said that OS 3 was a complete rewrite of the operating system that skewered some popular functionality; therefore, not all users are willing to upgrade.
“It broke a lot of functionality,” Domanski said of OS 5, as quoted by Krebs, a well-known cybersecurity expert. “So some users might not decide to migrate to OS 5.”
Domanski and Ribeiro have come up with a patch that fixes the OS 3 bugs they found. But it comes with a caveat: Users have to reapply it every time the device reboots.