Western Digital ignored questions about whether the flaw found by Domanski and Ribeiro was ever addressed in OS 3. We take reports from the security research community very seriously and conduct investigations as soon as we receive them.” Since then, we have updated our process and respond to every report in order to avoid any miscommunication like this again. “We didn’t have any questions so we didn’t respond. “The communication that came our way confirmed the research team involved planned to release details of the vulnerability and asked us to contact them with any questions,” Western Digital said. In a statement provided to KrebsOnSecurity, Western Digital said it received their report after Pwn2Own Tokyo 2020, but that at the time the vulnerability they reported had already been fixed by the release of My Cloud OS 5. The researchers said Western Digital never responded to their reports. Nevertheless, in February 2021, the duo published this detailed YouTube video, which documents how they discovered a chain of weaknesses that allows an attacker to remotely update a vulnerable device’s firmware with a malicious backdoor - using a low-privileged user account that has a blank password. That update effectively nullified their chances at competing in Pwn2Own, which requires exploits to work against the latest firmware or software supported by the targeted device. But just days before the event Western Digital released M圜loud OS 5, which eliminated the bug they found. Researchers Radek Domanski and Pedro Ribeiro originally planned to present their findings at the Pwn2Own hacking competition in Tokyo last year. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital M圜loud network storage devices that will remain unfixed for many customers who can’t or won’t upgrade to the latest operating system.Īt issue is a remote code execution flaw residing in all Western Digital network attached storage (NAS) devices running M圜loud OS 3, an operating system the company only recently stopped supporting. Image: WD.Ĭountless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. Some of Western Digital’s M圜loud-based data storage devices.
0 Comments
Leave a Reply. |