Security News > 2021 > July > Western Digital Users Face Another RCE

As if things weren't bad enough for the untold number of Western Digital customers whose data blinked out of existence last month, there's another zero-day waiting for whoever can't or won't upgrade its My Cloud storage devices.

It's found in all Western Digital NAS devices running the old, no-longer-supported My Cloud 3 operating system: an OS that the researchers said is "In limbo," given that Western Digital recently stopped supporting it.

The June attack actually turned out to be two attacks rolled into what at first seemed like one: An old remote-code execution bug from 2018 that Western Digital first blamed for the remote wipes, and then a previously unknown zero-day flaw that enabled unauthenticated remote factory-reset device wipes.

It's a third, similarly serious zero-day vulnerability in a much broader range of newer Western Digital My Cloud NAS boxes.

Why so little time? A few reasons: Because OS 3 is out of support, because Comparitech researchers had already found five critical RCE flaws in Western Digital devices that they published back in November 2020, because Western Digital never responded to the Flashback Team, and because Western Digital's official response was a bit of a shrug.

Western Digital told Krebs that it hadn't responded to Flashback Team because it received their report after Pwn2Own Tokyo 2020, but at the time, the vulnerability they reported had already been fixed by the release of My Cloud OS 5.

News URL

https://threatpost.com/rce-0-day-western-digital-users/167547/