- Critical Unpatched Flaws Disclosed In Western Digital ‘My Cloud’ Storage Devices
Western Digital ‘My Cloud’ Storage Device is reliable, centralized personal storage with an automatic backup that plugs into your own home network. Share whatever you want, anywhere you have an Internet connection. According to the latest report, Security researchers have discovered several severe vulnerabilities and a secret hard-coded backdoor in Western Digital’s My Cloud NAS devices that could allow remote attackers to gain unrestricted root access to the device. The device lets users not only share files in a home network, but the private cloud feature also allows them to access their data from anywhere at any time. The hardcoded backdoor and several vulnerabilities found in WD My Cloud storage devices that could allow remote attackers to inject their own commands and upload and download sensitive files without permission. The vulnerability allows a remote attacker to upload an arbitrary file to the server running on the internet-connected vulnerable storage devices. Researchers also found the existence of a “classic backdoor” with admin username “mydlinkBRionyg” and password “abc12345cba,” which is hardcoded into the binary and cannot be changed. The researchers also reported some other vulnerabilities such as CSRF, Command Injection, Denial of Service, and Information Disclosure. Western Digital’s My Cloud and My Cloud Mirror firmware version 2.30.165 and earlier are affected by all above-reported vulnerabilities. Affected models include My Cloud Gen 2, My Cloud EX2, My Cloud EX2 Ultra, My Cloud PR2100, My Cloud PR4100, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, and My Cloud DL4100.
Cyber Security Tips: It is advised to disconnect any affected drives from your local area network and block it from having Internet access until a patch can be issued.