Western Digital Devices Hit by New Vulnerability

The shock that thousands of users felt when they discovered their Western Digital My Book Live devices had been wiped clean in a destructive hack attack in late June is probably still fresh in their memory. Now Western Digital devices have had another vulnerability exposed that allows dangerous remote code execution.

The newly discovered vulnerability affects WD My Cloud devices, and specifically those running the outdated, no longer supported My Cloud 3 operating system. If bad actors get to a My Cloud OS 3 device that still has the vulnerability, they gain access to remote code execution functionality, and at root level, giving them practically full control over the device. The bad actors can also install a backdoor on the compromised devices. The issue affects all devices running My Cloud OS 3.

Users, of course, have the option to upgrade their devices to the My Cloud OS 5, but according to researchers, this might not be as smooth a process as you might expect. Reporting on the new vulnerability, Threatpost explains that with the updates from OS 3 to OS 5 the manufacturer "skewed" some features that many users considered important and a lot of users may be unwilling to upgrade their devices and lose functionality that they enjoy greatly.

The two researchers who found the vulnerability in the OS 3 version of the WD software, called Domanski and Ribeiro, actually published a custom patch they made that takes care of the OS 3 vulnerability. The patch is available on GitHub and will be of great help to people who don't want to lose their favorite OS 3 functionality but want to have a secure device. The only inconvenience with the unofficial patch is that it has to be reapplied every time the storage devices are rebooted.

Western Digital have discontinued support for OS 3 and are only supporting the OS 5 version of their software, where the vulnerability does not exist.

Only a week ago Western Digital device owners across the world found their My Book Live devices were wiped clean. The attack was originally thought to abuse an old bug allowing remote code execution that dates back to 2018. A little later, it was revealed that the attacks also abused another, previously unknown zero-day vulnerability that allowed hackers to remotely wipe devices completely and revert them to factory settings.

By Zaib
July 8, 2021
Computer Security
English
July 8, 2021
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Computer Security

Western Digital My Book Live Devices Wiped Remotely by Hackers

The My Book Live is a networked attached storage device manufactured by data storage company Western Digital. Over the last few days, the Internet has been rife with warnings about attacks on My Book Live devices that... Read more

June 28, 2021
Computer Security

1 Billion WI-Fi Connected Devices Are Vulnerable Due to a Security Vulnerability

IoT is the future, or so we're being told all the time - with technology not so much marching, but rather frog leaping into orbit, smart homes and interconnected appliances that you can command at will from your phone... Read more

March 30, 2020
News

A Newly Discovered LTE Vulnerability Makes It Possible to Impersonate Mobile Devices and Their Owners

Onе of the key roles of IT security specialists and researchers nowadays is not only to develop countermeasures to existing threats and attacks but to discover weaknesses in essential IT systems and to take measures... Read more

March 31, 2020
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.