Western Digital urges customers to patch NAS drive backdoor

Security researcher discovers hard-coded flaw in storage appliances

Western Digital has urged customers to update the firmware on their NAS appliances, after a security researcher discovered a number of security issues including a hard-coded backdoor that allows anyone to gain access to the devices.

GulfTech researcher James Bercegay discovered the vulnerability, which allows attackers to log into an affected NAS device using a pre-set username and password that cannot be changed or modified.

The affected models are: MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.

Bercegay also discovered several other vulnerabilities, including command injection, cross-site request forgery and unrestricted file upload flaws. Interestingly, he noted that the backdoor and file upload issued perfectly matched flaws found in the D-Link DNS-320L ShareCenter, a rival NAS device, making it possible that Western Digital licensed the (flawed) code from D-Link in order to build its NAS appliance.

Western Digital told IT Pro that Bercegay had already notified it of the flaws, and that the issue was addressed in the v2.30.172 firmware update. A spokesperson urged customers to update to the latest version of the firmware in order to avoid being affected.

"As a reminder, we urge customers to ensure the firmware on their products is always up to date; enabling automatic updates is recommended. We also urge you to implement sound data protection practices such as regular data backups and password protection, including to secure your router when you use a personal cloud or network-attached storage device," they said.

"Western Digital works continuously to improve the capability and security of our products, including with the security research community to address issues they may uncover. We encourage responsible disclosure by customers and researchers to ensure our customers are protected while we address valid vulnerabilities."

Featured Resources

Digital document processes in 2020: A spotlight on Western Europe

The shift from best practice to business necessity

Download now

Four security considerations for cloud migration

The good, the bad, and the ugly of cloud computing

Download now

VR leads the way in manufacturing

How VR is digitally transforming our world

Download now

Deeper than digital

Top-performing modern enterprises show why more perfect software is fundamental to success

Download now

Recommended

CMS platforms succumb to KashmirBlack botnet as businesses rush online
Security

CMS platforms succumb to KashmirBlack botnet as businesses rush online

22 Oct 2020
Government agencies see misconfigured cloud services as top security threat
Security

Government agencies see misconfigured cloud services as top security threat

22 Oct 2020
Lookout reveals mobile-first endpoint detection and response solution
Security

Lookout reveals mobile-first endpoint detection and response solution

21 Oct 2020
Cisco finds an increase in security concerns due to remote working
Security

Cisco finds an increase in security concerns due to remote working

21 Oct 2020

Most Popular

The enemy of security is complexity
Sponsored

The enemy of security is complexity

9 Oct 2020
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

5 Oct 2020
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

5 Oct 2020