Widespread file exposure possible with Western Digital, Synology NAS flaws

Millions of Western Digital and Synology network-attached storage devices are impacted by already patched critical security flaws, which could have been leveraged to expose millions of users' files, SecurityWeek reports. Vulnerabilities impacting WD NAS devices could have been exploited to facilitate remote user file access, arbitrary code execution, and total device takeovers, according to a Claroty report. "First, we enumerate all of the devices GUID, and choose our target list. We then impersonate the device, stealing its cloud tunnel and disconnecting the device. Any requests performed to the device will now reach us, giving us the authentication tokens for the device admin," said Claroty, which has used the new permissions to enable the execution of a payload upon device reboot. Meanwhile, security bugs in Synology NAS devices were also found by researchers to enable device impersonation and force redirections to attacker-controlled devices, which could then result in credential theft and user data compromise, as well as arbitrary code execution.