If you like the data on your WD My Cloud OS 3 device, patch now


If you like the data on your WD My Cloud OS 3 device, patch now

Western Digital has patched three critical vulnerabilities, one with a severity rating of 9.8 and one with a 9.0, that make it possible for hackers to steal data or remotely hijack storage devices running version 3 of the company’s My Cloud operating system. .

CVE-2021-40438, as one of the vulnerabilities is traced, allows unauthenticated remote attackers to have devices forward requests to servers of the attackers’ choosing. Like the other two flaws that Western Digital fixed, it resides in versions 2.4.48 and earlier of the Apache HTTP server. Attackers have already successfully exploited it to steal hashed passwords of a vulnerable system, and exploit code it is readily available.

The vulnerability with a severity rating of 9 out of a maximum of 10 is derived from a Server-side request forgery. This class of bug allows attackers to funnel malicious requests to internal systems that are behind firewalls or not accessible outside of a private network. It works by inducing server-side applications to make HTTP requests to an arbitrary domain chosen by the attacker.

CVE-2021-39275, meanwhile, has a severity rating of 9.8 out of a possible 10. It allows remote attackers to lock down vulnerable systems and possibly execute malicious code. Two additional vulnerabilities—CVE-2021-36160 Y CVE-2021-34798—make it possible to remotely lock down vulnerable systems.

Apache released patches for the vulnerabilities last october. It’s not clear why it took the drive maker four months to incorporate them into its drive operating system.

Many people are often slow to patch vulnerabilities in peripheral devices, such as network-attached storage devices, that run Western Digital’s proprietary My Cloud operating system. That would be a mistake in this case. In June, Western Digital advised users of a different product, My Book Live, to immediately disconnect devices from the Internet. Meanwhile, the company responded to what later turned out to be the massive exploitation of a zero-day vulnerability.

Last year, Western Digital established a schedule for phasing out the use of My Cloud OS 3. Earlier this week, users of the previous operating system with devices that support version 5 of the current operating system were required to upgrade to the new version. . If they didn’t, users would no longer be able to connect to devices over the Internet, receive security updates, or get technical support. On April 15, support for version 3 will end completely. Devices that don’t support version 5 by then will lose remote access, meaning they can only access files over local networks.

“We recommend that all eligible users upgrade to My Cloud OS 5 immediately to benefit from the latest security fixes,” Western Digital said in a statement. advisory. Instructions for updating are here.

List of images by follow these instructions / Flickr


arstechnica.com

Leave a Reply

Your email address will not be published.