Western Digital Users Face Another RCE

zero day

Say hello to one more zero-day and yet more potential remote data death for those who can’t/won’t upgrade their My Cloud storage devices.

Bad news comes in threes, most particularly for Western Digital customers.

As if things weren’t bad enough for the untold number of Western Digital customers whose data blinked out of existence last month, there’s another zero-day waiting for whoever can’t or won’t upgrade its My Cloud storage devices.

The latest zero-day entails an attack chain that allows an unauthenticated intruder to execute code as root and install a permanent backdoor on the vendor’s network-attached storage (NAS) devices. It’s found in all Western Digital NAS devices running the old, no-longer-supported My Cloud 3 operating system: an OS that the researchers said is “in limbo,” given that Western Digital recently stopped supporting it.

Western Digital has said that its update – My Cloud OS 5 – fixed the bug. Maybe so, but the researchers who found the OS 3 vulnerability, Radek Domanski and Pedro Ribeiro, told security journalist Brian Krebs that OS 5 was a complete rewrite of OS 3 that skewered some popular features and functionality. As such, not all users are likely to upgrade: a presumption underscored by the many users who cited using OS 3 in the support forum when the remote data wipe happened in June.

“It broke a lot of functionality,” Domanski said of OS 5, as quoted by Krebs. “So some users might not decide to migrate to OS 5.”

There is hope. Domanski and Ribeiro have developed and released their own patch that fixes the vulnerabilities they found in OS 3. One problem: It needs to be reapplied every time the device reboots.

The Global RCE Data Wipe

Last month, we saw what a bug like this can lead to: Customers across the world wailed as years – decades, in some cases – of data were remotely wiped off of their old My Book Live and My Book Live Duo devices.

The June attack actually turned out to be two attacks rolled into what at first seemed like one: An old remote-code execution (RCE) bug from 2018 that Western Digital first blamed for the remote wipes, and then a previously unknown zero-day flaw that enabled unauthenticated remote factory-reset device wipes.

As Ars Technica’s Dan Goodin detailed in a fascinating writeup, Ars and Derek Abdine, CTO at security firm Censys, analyzed logs from affected devices and found that the devices seemed to have been caught in some kind of tug-of-war, in what Abdine hypothesized might have been a struggle between multiple attackers for control of the compromised devices.

The Latest Zero Day

Now comes this one, the latest bug, reported last week by Krebs. It’s a third, similarly serious zero-day vulnerability in a much broader range of newer Western Digital My Cloud NAS boxes. Domanski and Ribeiro originally planned to present it at the Pwn2Own hacking contest in Tokyo last year.

They never did: As vendors tend to do, Western Digital pushed out an update a mere week before the pair – who hack together as Flashback Team – were going to present. Given that the update squashed their bug, the researchers couldn’t compete. Pwn2Own rules stipulate that exploits work against the latest firmware or software supported for a targeted device.

But in February, they did publish the attack chain they pieced together, shown in the YouTube video below. The duo gave Western Digital “a taste of their own medicine,” giving the company just one week to fix the vulnerability as a mirror to that one week the OS 5 update dropped leading up to the Pwn2Own event.

Why so little time? A few reasons: Because OS 3 is out of support, because Comparitech researchers had already found five critical RCE flaws in Western Digital devices that they published back in November 2020, because Western Digital never responded to the Flashback Team, and because Western Digital’s official response was a bit of a shrug. Namely, the vendor recommended ditching OS 3 and upgrading to OS 5: a response that didn’t clarify whether the company had actually fixed the OS 3 vulnerabilities.

In a March 12, 2021 statement, the company said that OS 3 would no longer be supported:

We will not provide any further security updates to the My Cloud OS3 firmware. We strongly encourage moving to the My Cloud OS5 firmware.

“We strongly encourage moving to the My Cloud OS5 firmware,” Western Digital said in the statement. “If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5. More information can be found here.” The vendor also provided a list of My Cloud devices that can support OS 5.

Western Digital ignored Krebs’ question about whether the vulnerabilities in OS 3 were ever addressed. Threatpost reached out to the company to ask the same question and will update the article if we hear back.

Western Digital told Krebs that it hadn’t responded to Flashback Team because it received their report after Pwn2Own Tokyo 2020, but at the time, the vulnerability they reported had already been fixed by the release of My Cloud OS 5.

“The communication that came our way confirmed the research team involved planned to release details of the vulnerability and asked us to contact them with any questions,” Western Digital told Krebs OnSecurity. “We didn’t have any questions so we didn’t respond. Since then, we have updated our process and respond to every report in order to avoid any miscommunication like this again. We take reports from the security research community very seriously and conduct investigations as soon as we receive them.”

That Doesn’t Cut It

Craig Young, principal security researcher at Tripwire, told Threatpost that ignoring advisories from security researchers is bad form. “It is a very bad practice for software vendors to ignore communication from security researchers,” he said via email. “‘We didn’t have any questions so we didn’t respond’ just doesn’t cut it as an explanation for vendor silence.”

Rather, best practice dictates that “all reports received by a security team receive some form of response to the reporter,” Young continued. “It’s also worth a closer look at the timeline here. Based on what I’ve read, the vendor knew about the critical flaw affecting OS 3 several months before support ended for this platform. While it is understandable that they prioritized release of a new major version including the security fixes, the vendor also should have backported the fix for OS 3 users long before it went out of support in March 2021.”

Suggested articles

Discussion

  • CyberVitae on

    WD should fess up to how many customers are still running the latest 4.X FW on OS3, as those devices can't be upgraded to OS5. They've been deliberately silent on that. I'll never buy another WD product again.
  • Guru on

    No WD for me anytime soon.
  • Richard Crouthamel on

    Used their products since I started in computers in 1979. Never use anything of theirs again.
  • x64436443 on

    This is comical act from WD, they don't see any reason to properly support their product. After that resetting to factory default action, I have serious doubt most client will choose again WD brand. I have friend and he choose expensive line Syn*** (brand). My other friend bought appliance from Super*** and run FreeNas on IT. So you must ask yourself if you want to buy NAS, do your data will be secured, and you will get properlly suppport and security flaw fixes? Sometimes price tag is not only cost, that shuld be added to TCO.
  • Sttyf Lopez on

    Just to never touch a WD NAS device simply don't do it. I have put our memories of more than 15 years of family history on their hands and suddenly I'm locked out from it. When you reach to them with so a BIG AND SENSITIVE ISSUE all they said is : "Sorry, your are out of warranty." Could someone ping point me to a good lawyer to have this greedy corporation to take responsibility for what is entrusted to them when they offered a product that will keep your family history in Video and pictures SAFE? I don't want WD to offer me a replacement piece of junk that will be inaccessible in a couple of years. I Must have my family's history back.
  • Stewart Boggild on

    I recently upgraded the mycloud system I have at home from os3 to os5 and it was by far the worst decision I ever made, since the update my device will only run for an hour before locking up and leaving me unable to access it. Been in touch with customer support where their only response was buy a new device. Before this my device worked perfectly. Crap update, crap customer service, I won't be going WD ever again after this
  • Krustice on

    WD run around. Got the email from WD sort of explains the problem. Their fix was to unplug device from the internet. Then they sent me another email about a 40% off offer to get a new device. All I needed to do was to contact customer service. There is no way to reach them by phone. The email addresses were not specific to this reason I.e. sales, warranty, technical setup. So i went to online chat. After 8 completely unrelated FAQ answers I got put in a hold with 70+ people. Took and hour, I was #1. I get “there are no WD representatives available at this time” and I get dropped. I get back in line, now 190+ th place. Went to lunch came back, 70 more to go. Finally get some one. He points me to the silupport site I had already been to. Then says I need an RMA approval. This was never mentioned before. Then I needed a case # before RMA. After they received my old device I would receive the 40% off coupon. I stated this was not acceptable, was told my issue would be escalated and responded to in 1-2 days. That was last Tuesday. Nada.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.