Another 0-Day Vulnerability Found in Western Digital Products

Just weeks after a bug allowed hackers to remotely wipe the data from MyBook Live network storage drives, cybersecurity researchers revealed another zero-day flaw present in Western Digital products running MyCloud OS 3.

The products in question are network-attached storage drives, which differ from traditional external drives in allowing wireless file-sharing among multiple devices.

The two researchers who discovered the flaw, Radek Domanski and Pedro Ribeiro, initially wanted to present their findings at the Pwn2Own hacking competition in November 2020. However, before the start of the competition in Tokyo, Western Digital “fixed” the issue by releasing MyCloud OS 5, which doesn’t have this vulnerability. The competition requirements state that all presented hacks and vulnerabilities have to be found in the latest available firmware, meaning Domanski and Ribeiro were no longer eligible to participate.

However, the release of a new version of the OS for these devices didn’t solve the problem for users sticking to version 3. Furthermore, not all devices are compatible with MyCloud OS 5, and some users don’t want to make the switch even if they could since the new version lacks some features of the previous one.

The researchers decided to reveal the flaw in a YouTube video, where they show how an attacker could remotely update the device’s firmware with a malicious backdoor. Thankfully, the pair also provided an unofficial patch that removes the bug. The problem, however, is that the patch has to be applied every time the device is rebooted.

The research team stated they decided to release the YouTube video in February after Western Digital failed to respond to their reports. In a statement given to KrebsOnSecurity, the company said, “The communication that came our way confirmed the research team involved planned to release details of the vulnerability and asked us to contact them with any questions. We didn’t have any questions, so we didn’t respond.”

Still, the company didn’t offer any solution for users still running MyCloud OS 3, apart from updating to MyCloud OS 5. For those running incompatible devices, they suggested they upgrade to one that can run MyCloud OS 5 or disable the remote access feature.