Cloud Security

No fix incoming for flaw in Western Digital products using My Cloud OS3

July 2, 2021
A zero-day vulnerability remains present in network attached storage devices manufactured by Western Digital that run its MyCloud OS 3 software, according to KrebsonSecurity. The remote code execution flaw potentially allows a threat actor to use a low-privilege user account with a blank password to remotely update a vulnerable device's firmware using a malicious backdoor.

The vulnerability was discovered in 2020 by security researchers looking to take part in the Pwn2Own hacking competition. The company later released its latest version of the software, MyCloud OS 5, which made the bug obsolete.

However, Western Digital has made no statement on whether the flaw has been addressed on MyCloud OS 3 devices and instead urged customers to upgrade to My Cloud OS 5 or purchase a new My Cloud OS 5-supported device.

The researchers recommended that users of MyCloud OS 3 ensure their devices are not remotely reachable via the Internet and have also released a patch they created to address the vulnerabilities, though it needs to be reapplied every time the device is rebooted.
Jill Aitoro

SC Media Editor in Chief Jill Aitoro has 20 years of experience editing and reporting on technology, business and policy. She also serves as editorial director at SC Media’s parent company, CyberRisk Alliance. Prior to joining CRA, she worked at Sightline Media as editor of Defense News and executive editor of the Business-to-Government Group. She previously worked at Washington Business Journal and Nextgov, covering federal technology, contracting and policy, as well as CMP Media’s VARBusiness and CRN and Penton Media’s iSeries News.

prestitial ad