Western Digital won’t fix a vulnerability found in older My Cloud OS3 storage devices
Owners of Western Digital community connected storage (NAS) devices could have yet one more safety headache on the horizon. Following the 2 flaws hackers exploited to wipe My Book Live devices remotely, safety journalist Brian Krebs has published a report on one other zero-day vulnerability that impacts Western Digital merchandise operating the corporate’s My Cloud OS3 software program. What’s extra, it doesn’t seem there can be an official fix for many who don’t improve to a newer storage answer.
Earlier in the 12 months, safety researchers Radek Domanski and Pedro Ribeiro found a collection of weaknesses that enable a malicious actor to remotely replace a My Cloud OS3 system so as to add a backdoor. The two say they by no means heard again from the corporate after they tried to contact it concerning the vulnerability. Western Digital attributes its response (or lack thereof) to considered one of its earlier insurance policies.
“The communication that came our way confirmed the research team involved planned to release details of the vulnerability and asked us to contact them with any questions,” a spokesperson for the corporate informed Krebs. “We didn’t have any questions so we didn’t respond. Since then, we have updated our process and respond to every report in order to avoid any miscommunication like this again.”
While the flaw isn’t current in Western Digital’s new My Cloud OS 5, it’s unclear if the corporate ever went again to deal with it in My Cloud OS3. What’s extra, it now not plans to assist the older software program. “We will not provide any further security updates to the My Cloud OS3 firmware,” Western Digital says in a support page dated to March twelfth, 2021. “We strongly encourage moving to the My Cloud OS 5 firmware. If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5.”
When Engadget reached out to Western Digital, a spokesperson for the corporate informed us “there is a fix for this vulnerability — we ‘patched’ OS3 with OS 5.” They added: “My Cloud OS 5 is a major security release that provides an architectural revamp of our older My Cloud firmware. All My Cloud products currently under active support are eligible for the My Cloud OS 5 upgrade and we recommend that all users upgrade as soon as possible to benefit from the latest security fixes.”
If you personal a system which you could’t replace to My Cloud OS 5, you may download a patch Domanski and Ribiro developed. One factor to notice is you’ll have to reapply it every time you reboot your system. You also can shield your My Cloud NAS drive by limiting its entry to the web.
Update 6:35PM ET: Added remark from Western Digital.
All merchandise really helpful by Engadget are chosen by our editorial workforce, impartial of our dad or mum firm. Some of our tales embody affiliate hyperlinks. If you buy one thing by considered one of these hyperlinks, we could earn an affiliate fee.
This Web site is affiliated with Amazon associates, Clickbank, JVZoo, Sovrn //Commerce, Warrior Plus etc.