Due to the zero-day flaw, Western Digital (WD) devices running My Cloud OS 3 are vulnerable to attack. A new vulnerability discovered by security researchers caught people’s attention a few days after another major vulnerability appeared. WD quietly fixed the issue affecting its My Cloud OS 3 drive in the My Cloud OS 5 released last year. However, due to the failure of a large number of storage devices connected to the WD Network (NAS), this vulnerability may still have a significant impact. It has not been yet updated to the latest version of the operating system.
Security researchers Pedro Ribeiro and Radek Domanski discovered a zero-day vulnerability in My Cloud OS 3. They took a YouTube video describing an issue that basically allowed an attacker to remotely place the firmware through a vulnerablity on the device, using the backdoor reported by KrebsOnSecurity. If a user account with a blank password is used, the vulnerability may be exploited.
Researchers said that the vulnerability affects most of WD’s NAS series, although devices running My Cloud OS 5 are not affected because the new cloud operating system has fixed the vulnerability. WD also mentioned on its support page that it will not provide security updates for My Cloud OS 3 firmware, and recommends that users also migrate to My Cloud OS 5.
The latest version of the operating system is not affected by the zero-day vulnerability. WD provides steps to upgrade to My Cloud OS 5 on their support page, but these are useless for users who have unsupported hardware or who want to take full advantage of My Cloud OS 3. The researchers who found the vulnerability released their own patch to fill in the loopholes in My Cloud OS 3. WD said that they knew of third-party companies that provided security fixes for the old equipment. “We have not evaluated any of these fixes, and we cannot support them,” he said.
The scope of the new zero-day vulnerability may be as large as the vulnerability that affected WD My Book Live users last month. However, the company has not confirmed whether there are any solutions under development.