Say hello to one more zero-day and yet more potential remote data death for those who can’t/won’t upgrade their My Cloud storage devices.

Bad news comes in threes, most particularly for Western Digital customers.

As if things weren’t bad enough for the untold number of Western Digital customers whose data blinked out of existence last month, there’s another zero-day waiting for whoever can’t or won’t upgrade its My Cloud storage devices.

The latest zero-day entails an attack chain that allows an unauthenticated intruder to execute code as root and install a permanent backdoor on the vendor’s network-attached storage (NAS) devices. It’s found in all Western Digital NAS devices running the old, no-longer-supported My Cloud 3 operating system: an OS that the researchers said is “in limbo,” given that Western Digital recently stopped supporting it.

, Western Digital Users Face Another RCE, The Cyber Post

Western Digital has said that its update – My Cloud OS 5 – fixed the bug. Maybe so, but the researchers who found the OS 3 vulnerability, Radek Domanski and Pedro Ribeiro, told security journalist Brian Krebs that OS 5 was a complete rewrite of OS 3 that skewered some popular features and functionality. As such, not all users are likely to upgrade: a presumption underscored by the many users who cited using OS 3 in the support forum when the remote data wipe happened in June.

“It broke a lot of functionality,” Domanski said of OS 5, as quoted by Krebs. “So some users might not decide to migrate to OS 5.”

There is hope. Domanski and Ribeiro have developed and released their own patch that fixes the vulnerabilities they found in OS 3. One problem: It needs to be reapplied every time the device reboots.

The Global RCE Data Wipe

Last month, we saw what a bug like this can lead to: Customers across the world wailed as years – decades, in some cases – of data were remotely wiped off of their old My Book Live and My Book Live Duo devices.

The June attack actually turned out to be two attacks rolled into what at first seemed like one: An old remote-code execution (RCE) bug from 2018 that Western Digital first blamed for the remote wipes, and then a previously unknown zero-day flaw that enabled unauthenticated remote factory-reset device wipes.

As Ars Technica’s Dan Goodin detailed in a fascinating writeup, Ars and Derek Abdine, CTO at security firm Censys, analyzed logs from affected devices and found that the devices seemed to have been caught in some kind of tug-of-war, in what Abdine hypothesized might have been a struggle between multiple attackers for control of the compromised devices.

The Latest Zero Day

Now comes this one, the latest bug, reported last week by Krebs. It’s a third, similarly serious zero-day vulnerability in a much broader range of newer Western Digital My Cloud NAS boxes. Domanski and Ribeiro originally planned to present it at the Pwn2Own hacking contest in Tokyo last year.

They never did: As vendors tend to do, Western Digital pushed out an update a mere week before the pair – who hack together as Flashback Team – were going to present. Given that the update squashed their bug, the researchers couldn’t compete. Pwn2Own rules stipulate that exploits work against the latest firmware or software supported for a targeted device.

But in February, they did publish the attack chain they pieced together, shown in the YouTube video below. The duo gave Western Digital “a taste of their own medicine,” giving the company just one week to fix the vulnerability as a mirror to that one week the OS 5 update dropped leading up to the Pwn2Own event.

Why so little time? A few reasons: Because OS 3 is out of support, because Comparitech researchers had already found five critical RCE flaws in Western Digital devices that they published back in November 2020, because Western Digital never responded to the Flashback Team, and because Western Digital’s official response was a bit of a shrug. Namely, the vendor recommended ditching OS 3 and upgrading to OS 5: a response that didn’t clarify whether the company had actually fixed the OS 3 vulnerabilities.

In a March 12, 2021 statement, the company said that OS 3 would no longer be supported:

We will not provide any further security updates to the My Cloud OS3 firmware. We strongly encourage moving to the My Cloud OS5 firmware.

“We strongly encourage moving to the My Cloud OS5 firmware,” Western Digital said in the statement. “If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5. More information can be found here.” The vendor also provided a list of My Cloud devices that can support OS 5.

Western Digital ignored Krebs’ question about whether the vulnerabilities in OS 3 were ever addressed. Threatpost reached out to the company to ask the same question and will update the article if we hear back.

Western Digital told Krebs that it hadn’t responded to Flashback Team because it received their report after Pwn2Own Tokyo 2020, but at the time, the vulnerability they reported had already been fixed by the release of My Cloud OS 5.

“The communication that came our way confirmed the research team involved planned to release details of the vulnerability and asked us to contact them with any questions,” Western Digital told Krebs OnSecurity. “We didn’t have any questions so we didn’t respond. Since then, we have updated our process and respond to every report in order to avoid any miscommunication like this again. We take reports from the security research community very seriously and conduct investigations as soon as we receive them.”

That Doesn’t Cut It

Craig Young, principal security researcher at Tripwire, told Threatpost that ignoring advisories from security researchers is bad form. “It is a very bad practice for software vendors to ignore communication from security researchers,” he said via email. “‘We didn’t have any questions so we didn’t respond’ just doesn’t cut it as an explanation for vendor silence.”

Rather, best practice dictates that “all reports received by a security team receive some form of response to the reporter,” Young continued. “It’s also worth a closer look at the timeline here. Based on what I’ve read, the vendor knew about the critical flaw affecting OS 3 several months before support ended for this platform. While it is understandable that they prioritized release of a new major version including the security fixes, the vendor also should have backported the fix for OS 3 users long before it went out of support in March 2021.”