Western Digital takes six months to patch easily exploitable NAS backdoor

By on
Western Digital takes six months to patch easily exploitable NAS backdoor

Western Digital has resolved a number of bugs that left its NAS drives vulnerable – six months after the vendor was notified about the issue.

The vulnerabilities were found by security researcher James Bercegay, who discovered that the firmware for Western Digital's My Cloud series of NAS drives contained a hardcoded backdoor administration account, which could not be changed and allowed for pre-authorised remote root code execution.

Attackers could log into a customer's My Cloud device with username "mydlinkBRionyg" and password "abc12345cba," which allowed them to issue rogue commands to vulnerable devices. Another easily exploitable bug allowed attackers to upload files onto the device, and in turn gave them control over the device's data.

Affected devices include MyCloud, MyCloudMirror, My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.

With a view to responsible disclosure, Bercegay said he informed Western Digital about the issues in June 2017 – then waited months before publishing his research on his own website last week.

Since publishing his research, Western Digital has issued a fix to the remote access bugs, which can be manually downloaded from the vendor's website.

CRN has contacted Western Digital for comment.

It's not the first time the My Cloud series has come under fire for vulnerabilities. The vendor was criticised last year for its late response to 85 exploits in the My Cloud series and failing to patch the bugs until they became public.

At the time, Western Digital issued a statement encouraging researchers to disclose potential vulnerabilities to the vendor before making them public.

The manufacturer's handling of a security vulnerability in its WD MyPassword Drive even won the company 'Pwnie Award' at the 2016 BlackHat USA security conference in Las Vegas for Lamest Vendor Response, which is awarded to "the vendor who mishandled a security vulnerability most spectacularly".

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © nextmedia Pty Ltd. All rights reserved.
Tags:
james bercegay nas security servers & storage western digital

Partner Content

Ingram Micro Ushers in the Age of Ultra
Ingram Micro Ushers in the Age of Ultra
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Secure, integrated platforms enable MSPs to focus bringing powerful solutions to customers
Kaseya Dattocon APAC 2024 is Back
Kaseya Dattocon APAC 2024 is Back
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Build cybersecurity capability with award winning Fortinet training from Ingram Micro
Channel can help lead customers to boosting workplace wellbeing with professional headsets
Channel can help lead customers to boosting workplace wellbeing with professional headsets

Sponsored Whitepapers

Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
Stop Fraud Before It Starts: A Must-Read Guide for Safer Customer Communications
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
The Cybersecurity Playbook for Partners in Asia Pacific and Japan
Pulseway Essential Eight Framework
Pulseway Essential Eight Framework
7 Best Practices For Implementing Human Risk Management
7 Best Practices For Implementing Human Risk Management
2025 State of Machine Identity Security Report
2025 State of Machine Identity Security Report

Events

techpartner.news MSP index - Brisbane
techpartner.news MSP index - Brisbane
techpartner.news Channel Leader List / Golf day
techpartner.news Channel Leader List / Golf day
techpartner.news Pipeline Conference 2025
techpartner.news Pipeline Conference 2025
Integrate Expo 2025
Integrate Expo 2025
Security Exhibition & Conference 2025
Security Exhibition & Conference 2025

Most read articles

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services

AI ambition: Nick Beaugeard looks to harness AI agents to provide tech services
Vic gov to spend $100m on cyber security

Vic gov to spend $100m on cyber security
MSPs pressed to review ransomware response as new reporting rules commence

MSPs pressed to review ransomware response as new reporting rules commence
Tech Research Asia to present Australian IT M&A report

Tech Research Asia to present Australian IT M&A report

Log in

Email:
Password:
  |  Forgot your password?