Western Digital (WD) devices running My Cloud OS 3 have been found to be vulnerable due to a zero-day error. The new vulnerability discovered by security researchers came into the spotlight just days after another major vulnerability resulted in some users deleting their data from WD My Book Live devices. WD quietly mitigated the problem affecting its My Cloud OS 3 storage units by releasing My Cloud OS 5 last year. However, the vulnerability could still have a significant impact as a large number of WD Network Attached Storage (NAS) devices have yet to be updated to the latest operating system.
The zero-day vulnerability affecting My Cloud OS 3 was discovered by security researchers Pedro Ribeiro and Radek Domanski. Both researchers created a video available on YouTube describing the issue, which essentially allows attackers to remotely update the firmware on a vulnerable device using backdoor access, as reported by KrebsOnSecurity. The vulnerability could be exploited using a user account that contains a blank password.
According to the researchers, the vulnerability affects most of the WD NAS lineup, although the devices running My Cloud OS 5 are not affected as the new cloud-based operating system has closed the gap. WD also mentioned on its support page that it would not provide security updates for the My Cloud OS 3 firmware and recommends users to upgrade to My Cloud OS 5.
It is important to note, however, that My Cloud OS 5 is a complete rewrite of the company’s operating system designed for NAS devices. This means that it doesn’t have all of the functionality that was available on My Cloud OS 3. The newer version also doesn’t support remote storage access on older devices, including those running Windows 7, Android 4.0, and iOS 8.0.
The limited availability of the features of My Cloud OS 5 may have restricted some users from continuing to use the older (read-only) operating system on their devices. Also note that the new operating system does not support hardware such as the WD My Book Live, My Book Live Duo, WD TV Live Hub, and My Net N900c. It is also not yet available for a list of WD devices, including the My Cloud, My Cloud EX2, My Cloud EX4, and My Cloud Mirror.
Some of the users who tried to switch to My Cloud OS 5 last year also reported that the update bricked their devices.
With all these limitations and problems, it is currently unclear how many users have actually switched to the latest operating system and are not affected by the zero-day vulnerability. WD has provided steps to upgrade to My Cloud OS 5 through a support page, but these will not be useful to users with unsupported hardware or who wish to take advantage of all of the features they were using on My Cloud OS 3.
However, the researchers who discovered the bug developed and released their own patch to close the loophole they found in My Cloud OS 3. WD found that it was aware of third-party vendors offering security patches for its older hardware. “We have not evaluated such patches and cannot provide support for such patches,” it said.
The scope of the new zero-day vulnerability could be as large as the one that affected WD My Book Live users in the last month. However, the company has yet to confirm whether it has any fixes in the works.
Gadgets 360 has contacted WD for a comment about the new vulnerability and will update this section if the company replies.