Western Digital has resolved a number of bugs that left its NAS drives vulnerable – six months after the vendor was notified about the issue.
The vulnerabilities were found by security researcher James Bercegay, who discovered that the firmware for Western Digital's My Cloud series of NAS drives contained a hardcoded backdoor administration account, which could not be changed and allowed for pre-authorised remote root code execution.
Attackers could log into a customer's My Cloud device with username "mydlinkBRionyg" and password "abc12345cba," which allowed them to issue rogue commands to vulnerable devices. Another easily exploitable bug allowed attackers to upload files onto the device, and in turn gave them control over the device's data.
Affected devices include MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.
With a view to responsible disclosure, Bercegay said he informed Western Digital about the issues in June 2017 – then waited months before publishing his research on his own website last week.
Since publishing his research, Western Digital has issued a fix to the remote access bugs, which can be manually downloaded from the vendor's website.
CRN has contacted Western Digital for comment.
It's not the first time the My Cloud series has come under fire for vulnerabilities. The vendor was criticised last year for its late response to 85 exploits in the My Cloud series and failing to patch the bugs until they became public.
At the time, Western Digital issued a statement encouraging researchers to disclose potential vulnerabilities to the vendor before making them public.
The manufacturer's handling of a security vulnerability in its WD MyPassword Drive even won the company 'Pwnie Award' at the 2016 BlackHat USA security conference in Las Vegas for Lamest Vendor Response, which is awarded to "the vendor who mishandled a security vulnerability most spectacularly".