Security News
Western Digital announced today that its network has been breached and an unauthorized party gained access to multiple company systems. "Upon discovery of the incident, the Company implemented incident response efforts and initiated an investigation with the assistance of leading outside security and forensic experts," Western Digital says in the disclosure.
US-based data storage company Western Digital has announced that it has suffered a network security incident that resulted in an unauthorized third party gaining access to a number of the company's systems and some company data. Western Digital identified the network security incident on March 26, 2023.
Western Digital has fixed a critical severity vulnerability that enabled attackers to gain remote code execution with root privileges on unpatched My Cloud OS 5 devices. This flaw is an out-of-bounds heap read/write in the Samba vfs fruit VFS module.
Western Digital has fixed a critical severity vulnerability that enabled attackers to gain remote code execution with root privileges on unpatched My Cloud OS 5 devices. This flaw is an out-of-bounds heap read/write in the Samba vfs fruit VFS module.
Western Digital has released new My Cloud OS firmware to fix a vulnerability exploited by bug hunters during the Pwn2Own 2021 hacking competition to achieve remote code execution. The flaw, tracked as CVE-2022-23121, was exploited by the NCC Group's EDG team members and relied on the open-source service named "Netatalk Service" that was included in My Cloud OS. The vulnerability, which has a CVSS v3 severity score of 9.8, allows remote attackers to execute arbitrary code on the target device, in this case, WD PR4100 NAS, without requiring authentication.
Users of Western Digital's EdgeRover app for Windows and Mac are advised to download an updated version to avoid a security flaw that might allow an attacker unauthorized access to directories and files. According to Western Digital, the flaw meant that EdgeRover was subject to a directory traversal vulnerability, which may have allowed an attacker to carry out a local privilege escalation and bypass file system sandboxing.
Western Digital's EdgeRover desktop app for both Windows and Mac are vulnerable to local privilege escalation and sandboxing escape bugs that could allow the disclosure of sensitive information or denial of service attacks. EdgeRover is a centralized content management solution for Western Digital and SanDisk products, unifying multiple digital storage devices under a single management interface.
Western Digital is urging customers to update their WD My Cloud devices to the latest available firmware to keep receiving security updates on My Cloud OS firmware reaching the end of support. Western Digital advises customers to protect their data from attackers after the firmware is no longer supported by backing up their devices, disabling remote access, disconnecting it from the internet, and choosing a unique and strong password.
Western Digital has confirmed that it changed the NAND flash memory in one of its most popular M.2 NVMe SSD models, the WD Blue SN550, which crippled writing speeds according to several reports, leading to a 50% performance hit. The company says that, in the future, it will also introduce a new model number when making any hardware changes to its products that impact performance.
As if things weren't bad enough for the untold number of Western Digital customers whose data blinked out of existence last month, there's another zero-day waiting for whoever can't or won't upgrade its My Cloud storage devices. It's found in all Western Digital NAS devices running the old, no-longer-supported My Cloud 3 operating system: an OS that the researchers said is "In limbo," given that Western Digital recently stopped supporting it.