Western Digital has patched three critical vulnerabilities—one with a severity rating of 9.8 and another with a 9.0—that make it possible for hackers to steal data or remotely hijack storage devices running version 3 of the company’s My Cloud OS.
CVE-2021-40438, as one of the vulnerabilities is tracked, allows remote attackers with no authentication to make devices forward requests to servers of the attackers’ choosing. Like the other two flaws Western Digital fixed, it resides in the Apache HTTP Server versions 2.4.48 and earlier. Attackers have already successfully exploited it to steal hashed passwords from a vulnerable system, and exploit code is readily available.
The vulnerability with a severity rating of 9 out of a maximum 10 stems from a Server-Side Request Forgery. This class of bug lets attackers funnel malicious requests to internal systems that are behind firewalls or otherwise not accessible outside a private network. It works by inducing server-side applications to make HTTP requests to an arbitrary domain of the attacker’s choosing.
CVE-2021-39275, meanwhile, carries a severity rating of 9.8 out of a possible score of 10. It allows remote attackers to crash vulnerable systems and possibly execute malicious code. Two additional vulnerabilities—CVE-2021-36160 and CVE-2021-34798—make it possible to remotely crash vulnerable systems.
Apache released patches for the vulnerabilities last October. Why the disk maker took four months to incorporate them into its disk OS is not clear.
Many people are often slow to patch vulnerabilities in periphery devices such as network-attached storage devices, which run Western Digital’s My Cloud proprietary operating system. That would be a mistake in this case. In June, Western Digital advised users of a different product, the My Book Live, to immediately unplug the devices from the Internet. Meanwhile, the company responded to what later turned out to be the mass exploitation of a zero-day vulnerability.
Last year, Western Digital laid out a schedule for phasing out use of My Cloud OS 3. Starting earlier this week, users of the older OS with devices that are compatible with the current OS version 5 were required to update to the new version. If they didn’t, the users would no longer be able to connect to the devices over the Internet, receive security updates, or get technical support. On April 15, support for version 3 will end completely. Devices that aren’t compatible with version 5 by then will lose remote access, meaning they will only be able to access files over local networks.
Listing image by followtheseinstructions / Flickr