Western Digital MyCloud And MyBook Users Slammed By New Alarming 0-Day Security Flaw

Just last week, many Western Digital MyBook Live owners lamented the fact that their personal cloud was being attacked and wiped remotely. Those storage devices were older and hadn't been supported since 2015. As a result, those NAS products proved to be a lesson in not putting unsecured and unpatched devices on your network. Much more alarming appears to be another zero-day, unpatched bug, this time in the WD's current lineup, and any supported device that hasn't already been updated is vulnerable. 

Before we go any farther, it's worth noting that WD has solved the issue with MyCloud OS 5. Owners of MyCloud devices should ensure immediately that their drives are fully updated to the latest, which is just good security practice anyhow. The company doesn't say whether the security issue was addressed in MyCloud OS 3, the previous version (there was no MyCloud OS 4, apparently), only that it stopped supporting the older OS in March of 2021. Western Digital has published a list of devices supported by MyCloud OS 5, so users can hit that to ensure they're covered. 

However, two security researchers, Radek Domanski and Pedro Rebeiro, published a YouTube video demonstrating a series of vulnerabilities that ultimately led to uninhibited access as root to a WD MyCloud OS 3 device. This allowed them to install a permanent backdoor, so that they could access the device again without re-exploiting those security vulnerabilities. The pair say they notified Western Digital of their discovery, but did not receive a response from the company. 


Since WD had apparently ignored their warning, Domanski and Rebeiro intended to enter the Pwn2Own Tokyo 2020 competition with their exploit. However, just a week before the event, WD released MyCloud OS 5 complete with fixes for the security holes they had discovered. In a statement to Krebs on Security, Western Digital said:

The communication that came our way confirmed the research team involved planned to release details of the vulnerability and asked us to contact them with any questions. We didn’t have any questions so we didn’t respond. Since then, we have updated our process and respond to every report in order to avoid any miscommunication like this again. We take reports from the security research community very seriously and conduct investigations as soon as we receive them.

Krebs on Security says the company ignored their questions about whether the flaw has been fixed on MyCloud OS 3 devices, so there may still be unsecured devices in the wild. According to Domanski and Rebeiro, MyCloud OS 5 is a total rewrite of the MyCloud operating system, and lacks several features that were found in the older firmware. Users reluctant to lose those features may have put off updating to the new OS, but that could leave them vulnerable to these issues. The solution is to ensure that the MyCloud devices running version 3 are not accessible from the internet. 

Because WD seemingly has not fixed this in its older firmware, the security researchers have released their own patch that will fix the configuration within MyCloud OS 3. This shell script re-launches the httpd service at startup, and needs to be re-run each time the device is rebooted. Users running devices stuck on the older firmware may want to head over to GitHub and check it out.