Cybersecurity researchers have unearthed a remote code execution flaw in Western Digital network-attached storage (NAS) devices that run MyCloud OS 3, an operating system no longer supported by the company.
Reporting on the findings of researchers Radek Domanski and Pedro Ribeiro, Brian Krebs writes that WD claims the vulnerability was automatically fixed last year with the release of MyCloud OS 5.
Crucially, however, Krebs notes that in their correspondence, WD ignored questions about whether the flaw was ever addressed in MyCloud OS 3.
- Take a look at the best NAS drives in the market
- These are the best NAS devices currently available
- Check our roundup of the best cloud storage services
Fixing the bug in the old release is important, since according to WD’s support statement not all MyCloud OS 3 devices are eligible for upgrade to MyCloud OS 5.
Old vulnerabilities
According to the researchers, who’ve posted a video detailing the vulnerability, they managed to update the firmware of a MyCloud OS 3-equipped device with a malicious backdoor through a low-privileged user that has a blank password.
The researchers claimed that WD never responded to their report of the vulnerability, though the company, in their response to Krebs, claims it was because of a miscommunication.
In a statement to Comparitech last year, WD said that users who can’t update to MyCloud OS 5 should turn off remote dashboard access to the device, reports The Verge, hinting that the company never got around to fixing the issue.
Meanwhile, the researchers have released a fix for the vulnerability in MyCloud OS 3, and WD tells Krebs that it is aware of third parties offering security patches for the officially unsupported OS.
WD has had unfortunate run-ins with old vulnerabilities in unsupported devices, of late. Last week, a decade old unpatched vulnerability led to several users losing their data as their My Book NAS devices were factory reset in an ongoing malware campaign.
- These are the best rugged hard drives out there
