Researchers Share Another Zero-Day in Some Western Digital NAS Products
Shortly after hackers remotely wiped internet-connected My Book Live devices, researchers shared a new zero-day vulnerability affecting Western Digital products running MyCloud OS 3.
KrebsOnSecurity reported that the researchers discovered this vulnerability in 2020 and planned to present it at the Pwn2Own hacking competition last November. Western Digital addressed the vulnerability with the release of MyCloud OS 5, however, so the research wasn't presented.
That doesn't mean the vulnerability is irrelevant. MyCloud OS 5 isn't available for all Western Digital products, and some customers have reportedly held off on updating because it lacks features available in MyCloud OS 3. Unfortunately that also leaves these devices open to attack. Western Digital has also said it won't provide additional updates for MyCloud OS 3, so devices running the operating system will continue to be affected by this vulnerability. That revelation is made all the more troubling by the fact that the researchers demonstrated an exploit for the security flaw in February after Western Digital seemingly ignored their warnings about the issue.