New zero day vulnerability disclosed in Western Digital NAS hard drives but affects fewer clients

Just a couple of weeks after a hacking group forced the deletion of files on My Book Live network storage (NAS) devices, a security report revealed some details about a zero-day vulnerability impacting Western Digital products running MyCloud OS 3.

The vulnerability was reported by KrebsOnSecurity researchers in 2020 and they planned to present it at the Pwn2Own hacking event, although the manufacturers fixed the flaw with the release of MyCloud OS 5.

However, the flaw is still a risk because the MyCloud OS 5 system is not available for all Western Digital devices, so they do not have protections against this flaw. The company also confirmed that no further updates will be sent for MyCloud OS 3, so devices running the operating system will remain at risk of exploitation. As if that weren’t enough, a few months ago a proof of concept (PoC) exploit capable of abusing this flaw was revealed.

In this regard, Western Digital issued a statement to mention: “the communication we received confirmed that the investigation team involved planned to release details of the vulnerability and asked us to tell them any questions.”

At the moment it is unknown if there are cases of active exploitation in real scenarios, although the cybersecurity community is already preparing some guidelines of recommendation to prevent any potential hacking attempt. If you do not want to wait, it is best for users to purchase a device capable of running the MyCloud OS 5 system, install the updated firmware or in critical cases disable remote access to these deployments.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.