Cybersecurity (opens in new tab) researchers have unearthed a remote code execution flaw in Western Digital network-attached storage (NAS) (opens in new tab) devices that run MyCloud OS 3, an operating system no longer supported by the company.
Reporting on the findings of researchers Radek Domanski and Pedro Ribeiro, Brian Krebs writes (opens in new tab) that WD claims the vulnerability was automatically fixed last year with the release of MyCloud OS 5.
Crucially, however, Krebs notes that in their correspondence, WD ignored questions about whether the flaw was ever addressed in MyCloud OS 3.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and you can also choose to enter the prize draw to win a $100 Amazon voucher or one of five 1-year ExpressVPN subscriptions.
>> Click here to start the survey in a new window (opens in new tab) <<
- Take a look at the best NAS drives (opens in new tab) in the market
- These are the best NAS devices (opens in new tab) currently available
- Check our roundup of the best cloud storage (opens in new tab) services
Fixing the bug in the old release is important, since according to WD’s support statement (opens in new tab) not all MyCloud OS 3 devices are eligible for upgrade to MyCloud OS 5.
According to the researchers, who’ve posted a video (opens in new tab) detailing the vulnerability, they managed to update the firmware of a MyCloud OS 3-equipped device with a malicious backdoor through a low-privileged user that has a blank password.
The researchers claimed that WD never responded to their report of the vulnerability, though the company, in their response to Krebs, claims it was because of a miscommunication.
In a statement to Comparitech last year (opens in new tab), WD said that users who can’t update to MyCloud OS 5 should turn off remote dashboard access to the device, reports The Verge (opens in new tab), hinting that the company never got around to fixing the issue.
Meanwhile, the researchers have released a fix for the vulnerability in MyCloud OS 3, and WD tells Krebs that it is aware of third parties offering security patches for the officially unsupported OS.
WD has had unfortunate run-ins with old vulnerabilities in unsupported devices, of late. Last week, a decade old unpatched vulnerability (opens in new tab) led to several users losing their data as their My Book (opens in new tab) NAS devices were factory reset in an ongoing malware (opens in new tab) campaign.
- These are the best rugged hard drives (opens in new tab) out there