Western Digital (WD) devices running My Cloud OS 3 have been found to be vulnerable due to the existence of a zero-day flaw. The new security loophole, which was discovered by security researchers, has come into the limelight just days after another serious vulnerability led to some users having their data wiped from WD My Book Live devices. WD quietly mitigated the issue impacting its storage units running My Cloud OS 3 by releasing My Cloud OS 5 last year. However, the vulnerability can still result in a major impact as a large number of WD network-attached storage (NAS) devices are yet to be updated to the latest operating system.
The zero-day vulnerability affecting My Cloud OS 3 was discovered by security researchers Pedro Ribeiro and Radek Domanski. Both researchers made a video, which is available on YouTube, to detail the issue that essentially allows attackers to remotely update the firmware on a vulnerable device using backdoor access, as reported by KrebsOnSecurity. The vulnerability could be exploited using a user account that carries a blank password.
According to the researchers, the vulnerability affects most of the WD NAS lineup, though the devices running My Cloud OS 5 are unaffected as the new cloud-based operating system fixed the loophole. WD also mentioned on its support page that it wouldn’t provide any security updates to the My Cloud OS 3 firmware and recommends users to move to My Cloud OS 5.
However, it is important to point out that My Cloud OS 5 comes as a complete rewrite of the company’s operating system designed for NAS devices. This means that it doesn’t carry all the features that were available on My Cloud OS 3. The newer version also doesn’t support remote storage access on older devices, including the ones running on Windows 7, Android 4.0, and iOS 8.0.
The limited feature availability on My Cloud OS 5 may have restricted some users to continue to use the older (read vulnerable) operating system on their devices. Also, it is important to note that the new operating system doesn’t support hardware such as the WD My Book Live, My Book Live Duo, WD TV Live Hub, and the My Net N900c. It is also not yet available for a list of WD devices, including the My Cloud, My Cloud EX2, My Cloud EX4, and the My Cloud Mirror.
Some of the users who tried to move to My Cloud OS 5 last year also reported that the update bricked their devices.
With all these limitations and problems, it is currently unclear how many users have actually switched to the latest operating system and are not affected by the zero-day vulnerability. WD has provided steps to upgrade to My Cloud OS 5 through a support page, but that will not be of any use for people on unsupported hardware or who want to get all the features that they were using on My Cloud OS 3.
Having said that, the researchers who discovered the flaw have developed and released their own patch to fix the loophole they found in My Cloud OS 3. WD noted that it was aware of third parties offering security patches for its older hardware. “We have not evaluated any such patches and we are unable to provide any support for such patches,” it said.
The scope of the new zero-day vulnerability could be as wide as the one affected WD My Book Live users last month. However, the company is yet to confirm whether it has any fixes in the works.
Gadgets 360 has reached out to WD for a comment on the new vulnerability and will update this space when the company responds.