Western Digital Devices Hit by New Vulnerability

The shock that thousands of users felt when they discovered their Western Digital My Book Live devices had been wiped clean in a destructive hack attack in late June is probably still fresh in their memory. Now Western Digital devices have had another vulnerability exposed that allows dangerous remote code execution.

The newly discovered vulnerability affects WD My Cloud devices, and specifically those running the outdated, no longer supported My Cloud 3 operating system. If bad actors get to a My Cloud OS 3 device that still has the vulnerability, they gain access to remote code execution functionality, and at root level, giving them practically full control over the device. The bad actors can also install a backdoor on the compromised devices. The issue affects all devices running My Cloud OS 3.

Users, of course, have the option to upgrade their devices to the My Cloud OS 5, but according to researchers, this might not be as smooth a process as you might expect. Reporting on the new vulnerability, Threatpost explains that with the updates from OS 3 to OS 5 the manufacturer "skewed" some features that many users considered important and a lot of users may be unwilling to upgrade their devices and lose functionality that they enjoy greatly.

The two researchers who found the vulnerability in the OS 3 version of the WD software, called Domanski and Ribeiro, actually published a custom patch they made that takes care of the OS 3 vulnerability. The patch is available on GitHub and will be of great help to people who don't want to lose their favorite OS 3 functionality but want to have a secure device. The only inconvenience with the unofficial patch is that it has to be reapplied every time the storage devices are rebooted.

Western Digital have discontinued support for OS 3 and are only supporting the OS 5 version of their software, where the vulnerability does not exist.

Only a week ago Western Digital device owners across the world found their My Book Live devices were wiped clean. The attack was originally thought to abuse an old bug allowing remote code execution that dates back to 2018. A little later, it was revealed that the attacks also abused another, previously unknown zero-day vulnerability that allowed hackers to remotely wipe devices completely and revert them to factory settings.

July 8, 2021