Western Digital urges customers to patch NAS drive backdoor

Security researcher discovers hard-coded flaw in storage appliances

Western Digital has urged customers to update the firmware on their NAS appliances, after a security researcher discovered a number of security issues including a hard-coded backdoor that allows anyone to gain access to the devices.

GulfTech researcher James Bercegay discovered the vulnerability, which allows attackers to log into an affected NAS device using a pre-set username and password that cannot be changed or modified.

Advertisement - Article continues below

The affected models are: MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.

Bercegay also discovered several other vulnerabilities, including command injection, cross-site request forgery and unrestricted file upload flaws. Interestingly, he noted that the backdoor and file upload issued perfectly matched flaws found in the D-Link DNS-320L ShareCenter, a rival NAS device, making it possible that Western Digital licensed the (flawed) code from D-Link in order to build its NAS appliance.

Western Digital told IT Pro that Bercegay had already notified it of the flaws, and that the issue was addressed in the v2.30.172 firmware update. A spokesperson urged customers to update to the latest version of the firmware in order to avoid being affected.

Advertisement
Advertisement - Article continues below

"As a reminder, we urge customers to ensure the firmware on their products is always up to date; enabling automatic updates is recommended. We also urge you to implement sound data protection practices such as regular data backups and password protection, including to secure your router when you use a personal cloud or network-attached storage device," they said.

"Western Digital works continuously to improve the capability and security of our products, including with the security research community to address issues they may uncover. We encourage responsible disclosure by customers and researchers to ensure our customers are protected while we address valid vulnerabilities."

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/security/hacking/355774/nigerian-hackers-swindle-millions-of-dollars-from-unemployment-systems
hacking

Nigerian hackers swindle millions of dollars from unemployment systems

22 May 2020
Visit/security/hacking/355773/hackers-take-on-unsuspecting-airliners-exposing-customer-data
hacking

Hackers take on unsuspecting airliners, exposing customer data

22 May 2020
Visit/security/hacking/355749/hackers-targets-game-developers-with-advanced-malware
hacking

Hackers target game developers with advanced malware

21 May 2020
Visit/security/hacking/355738/security-service-of-ukraine-arrests-infamous-hacker-sanix
hacking

Security Service of Ukraine arrests infamous hacker Sanix

21 May 2020

Most Popular

Visit/security/34616/the-top-ten-password-cracking-techniques-used-by-hackers
Security

The top ten password-cracking techniques used by hackers

5 May 2020
Visit/mobile/5g/355712/nokia-5g-speed-record
5G

Nokia breaks 5G record with speeds nearing 5Gbps

20 May 2020
Visit/cloud/cloud-computing/355742/microsoft-launches-public-cloud-service-for-health-care
cloud computing

Microsoft launches public cloud service for health care

21 May 2020