Owners of Western Digital network attached storage (NAS) devices may have yet another security headache on the horizon. Following the two flaws hackers exploited to wipe My Book Live devices remotely, security journalist Brian Krebs has published a report on another zero-day vulnerability that affects Western Digital products running the company’s My Cloud OS3 software. What’s more, it doesn’t appear there will be an official fix for those who don’t upgrade to a newer storage solution.
Earlier in the year, security researchers Radek Domanski and Pedro Ribeiro discovered a series of weaknesses that allow a malicious actor to remotely update a My Cloud OS3 device to add a backdoor. The two say they never heard back from the company when they tried to contact it about the vulnerability. Western Digital attributes its response (or lack thereof) to one of its previous policies.
“The communication that came our way confirmed the research team involved planned to release details of the vulnerability and asked us to contact them with any questions,” a spokesperson for the company told Krebs. “We didn’t have any questions so we didn’t respond. Since then, we have updated our process and respond to every report in order to avoid any miscommunication like this again.”
While the flaw isn’t present in Western Digital's new My Cloud OS 5, it’s unclear if the company ever went back to address it in My Cloud OS3. What’s more, it no longer plans to support the older software. “We will not provide any further security updates to the My Cloud OS3 firmware,” Western Digital says in a support page dated to March 12th, 2021. “We strongly encourage moving to the My Cloud OS 5 firmware. If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5.”
When Engadget reached out to Western Digital, a spokesperson for the company told us "there is a fix for this vulnerability — we 'patched' OS3 with OS 5." They added: "My Cloud OS 5 is a major security release that provides an architectural revamp of our older My Cloud firmware. All My Cloud products currently under active support are eligible for the My Cloud OS 5 upgrade and we recommend that all users upgrade as soon as possible to benefit from the latest security fixes."
If you own a device that you can't update to My Cloud OS 5, you can download a patch Domanski and Ribiro developed. One thing to note is you’ll need to reapply it each time you reboot your device. You can also protect your My Cloud NAS drive by limiting its access to the internet.
Update 6:35PM ET: Added comment from Western Digital.