Another Zero-day found in Western Digital network Storages

This second Zero-day affects Western Digital NAS running MyCloud OS 3.

Security researchers Radek Domanski and Pedro Ribeiro discovered a previously unknown vulnerability in Western Digital NAS devices running MyCloud OS 3. Experts planned to exploit it at the Pwn2Own hacker competition in Tokyo last year, but a few days before the event, the manufacturer released MyCloud OS 5, which completely fixes the vulnerability, so their plan fell through.

In February of this year, Domanski and Ribeiro posted a video on YouTube showing how they managed to discover a chain of vulnerabilities that could allow attackers to remotely update the firmware of network storage devices and install a backdoor using a user account with low privileges and an empty password.

According to the researchers, they notified Western Digital of the discovered vulnerability, but the company did not respond to their report. The manufacturer confirms that it received a corresponding report from Domanski and Ribeiro, but after Pwn2Own in Tokyo, the vulnerability was fixed in MyCloud OS 5. Whether the problem is fixed in MyCloud OS 3 is unknown. According to the company's notice on the support site dated March 12, 2021, there will be no more security updates for MyCloud OS 3.

As Domanski notes, MyCloud OS 5 is a completely rewritten Western Digital operating system, and some of the key features found in MyCloud OS 3 are missing from it. Many users may not want to upgrade to MyCloud OS 5, and it would be worth fixing a dangerous vulnerability in MyCloud OS 3. In this regard, the researchers released their own patch, which needs to be installed again after each reboot of the device.

As a reminder, Western Digital's Digital My Book users faced a massive factory reset last month. As it turned out, the devices were attacked by hackers through two vulnerabilities, and they were exploited by different groups competing with each other.