Got a Western Digital NAS?

Topic

New Reply

I just told a coworker to unplug his WD mycloud/mybook devices.  We have another zero day for the Western Digital line up. Brian Krebs has the details
[See the full post at: Got a Western Digital NAS?]

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

Alex5723

Reply | Quote

Replies

Yikes.  I’ve thought about adding some NAS, but if they’re big targets for malware, maybe I’ll just stick with my USB drives too.

i7-10700k - ASROCK Z590 Pro4 - 1TB 970 EVO Plus M.2 - DDR4 3200 x 32GB - GeForce RTX 3060 Ti FTW - Windows 10 Pro

Reply | Quote

Don’t expose them to the Internet and it isn’t much of a problem.  The problem with the Cloud Drives is that they’re designed to make setup “easy” and connect to the outside world.  Same with a lot of printers; if you don’t need the cloud-enable features so you can print off a PDF document while on the other side of the planet, just disable it.

That’s not full protection but it removes a lot of the danger.

Reply | Quote

AmbularD wrote:

I’ve thought about adding some NAS

There is nothing wrong with adding a NAS providing it is not WD.
There are better NAS vendors like Synology…and others.

Reply | Quote

So far, I love my Synology DS920+! It is an upgrade from my very old DS209 I kept powered off (obsolete firmware). On the DS920+ I have a 8TB RAID1 array and I’m adding another 14TB RAID1 array as I ran out of space…

I’m looking forward to run my VMs on the NAS and repurpose the old PC they are running on! The 4GB memory upgrade should arrive with the 14TB HDDs

Martin

Reply | Quote

In case you have other Western Digital backup drives and are wondering about it, as I did, the remote wiping attacks do not appear, as of now, to be striking Western Digital My Passport drives connected to one PC via USB. The attacks are rather directed at WD My Book Live and My Cloud Live backup drives directly connected to routers for network backup (“NAS”).

1 user thanked author for this post.

AmbularD

Reply | Quote

Perhaps there is a good article in there…

How to maintain backups?

1. USB drives
2. DVD+ disks
3. Hard disk(s)
4. NAS
5. Tape (does anyone do tape these days?)

Signed:

A not so proud owner of 20+ WD disks including a WD My Book Live Duo!

Reply | Quote

teuhasn2 wrote:

In case you have other Western Digital backup drives and are wondering about it, as I did, the remote wiping attacks do not appear, as of now, to be striking Western Digital My Passport drives connected to one PC via USB. The attacks are rather directed at WD My Book Live and My Cloud Live backup drives directly connected to routers for network backup (“NAS”).

WD has said that it is the My Book Live and My Book Live Duo that have been attacked.

The My Cloud series is, apparently, still OK.

Reply | Quote

anonymous wrote:

WD has said that it is the My Book Live and My Book Live Duo that have been attacked.

The My Cloud series is, apparently, still OK.

This thread is about “another zero day for the Western Digital line up.”.

MyCloud devices (unless very recent) are vulnerable to attacks:

Countless Western Digital customers saw their MyBook Live network storage drives remotely wiped in the past month thanks to a bug in a product line the company stopped supporting in 2015, as well as a previously unknown zero-day flaw. But there is a similarly serious zero-day flaw present in a much broader range of newer Western Digital MyCloud network storage devices that will remain unfixed for many customers who can’t or won’t upgrade to the latest operating system.

At issue is a remote code execution flaw residing in all Western Digital network attached storage (NAS) devices running MyCloud OS 3, an operating system the company only recently stopped supporting.

Another 0-Day Looms for Many Western Digital Users

Reply | Quote

You are correct;  I failed to read the article properly.

Oh well, something else to worry about…

Anon

Reply | Quote

The latest OS5 also disables a bunch of features, it seems.  It might not be worth updating depending on what people are using the NAS for.

Reply | Quote

Thanks for sharing – had interesting lecture yesterday evening…

Does anybody know what the exact vulnerability is though? I have a skin in the game… For reference:

https://community.wd.com/t/unofficial-patch-for-os3-zero-day-rce-vulnerability/268631/16

That’s what I just got when I created and ran the script:

Patching vulnerability and restarting httpd…
httpd: no process found
authfix.sh: line 15: httpd: command not found
Vulnerability patched. Don’t forget to run this script at every reboot!

(…)Also, does anybody actually know what this vulnerability entails exactly, given that the above scrips seems doing something to httpd which apparently does not run on my device?

Reply | Quote

Did you watch the video for details of the vulnerability?

Why can you not update from My Cloud OS 3 to My Cloud OS 5?

Reply | Quote

Well, I just did, and there we are:

(https://community.wd.com/t/unofficial-patch-for-os3-zero-day-rce-vulnerability/268631/18?u=krzemien)

EDITED TO ADD #1: I’m not getting the same response wher **nobody** & **squeezecenter** accounts are considered as authors do to *cat /etc/shadow* command (~5m45s)

Code:

nobody:*:15729:0:99999:7:::

**squeezecenter** account does not in fact exist.

EDITED TO ADD #2: I’m not getting the same response as authors do to *curl ‘http://127.0.0.1/api/2.1/rest/device?auth_username=nobody?auth_password=’* command (~9m45s)

Code:

<?xml version="1.0" encoding="utf-8"?><core><error_code>401</error_code><http_status_code>401</http_status_code><error_id>57</error_id><error_message>User not authorized</error_message></core>WDMyCloud:~#

EDITED TO ADD #3:

I’m not getting the same response as authors do to *’curl -X POST ‘http://127.0.0.1/api/2.1/rest/firmware_update?auth_username=nobody&auth_password=’* command (~13m00s)

Code:

<?xml version="1.0" encoding="utf-8"?><core><error_code>401</error_code><http_status_code>401</http_status_code><error_id>57</error_id><error_message>User not authorized</error_message></core>WDMyCloud:~#

EDITED TO ADD #4: Whole premise of attack assumes using **nobody** account for nefarious purposes (15m30s)

EDITED TO ADD #5: I’m not getting the same response as authors do to *ps faux | grep httpd* command (~21m45s)

Code:

root 16889 0.0 0.7 2432 1728 pts/0 S+ 16:26 0:00 \_ grep httpd

What am I seeing is that my device seems to be immune to that vector of attack as user **nobody** does not seem to respond to the commands as shown in this YouTube video. At least that’s my quick conclusion…

Reply | Quote

As per my post on WD Forums:

https://community.wd.com/t/unofficial-patch-for-os3-zero-day-rce-vulnerability/268631/24?u=krzemien

I just revisited all the above with the clear eyes and corrected typos accordingly. Nonetheless the result remains the same(…)

The unit I own is 1st Gen (v4.x), with the latest available firmware (v04.05.00-342) installed. No faffing with its content, with the exception of HD Sentinel installation (as per the other thread & my post here: Monitor Network Attached Storage (NAS) status via HD Sentinel – #6 by krzemien)

(…)

The results I am seeing – but I might be missing something bleeding obvious – seem to indicate that 1st Gen units might be immune to this vulnerability.

And no, I understand that I cannot upgrade this unit to OS5 as it’s not supported on this hardware.

Reply | Quote

Skimming the forums and watching the 0Day vid, OS3 version 4 is still likely impacted.  The Nobody account might have a generic password in v4.  You can try following the first couple steps to decrypt the password and see what it is.  Try the attack again with the new password.  The password is likely something generic and default similar to the squeezecenter one in the video.

 

I don’t own a device so I can’t provide feedback beyond this.

Reply | Quote

Late realisation my end – after goring through all the above at later stage – was/is that v4 is not based on OS3 actually.

Security by obscurity?

Reply | Quote

From a “does a NAS make any sense to have” perspective…

Modern computers generally have terabytes of storage and transfer up to gigabytes of storage fairly quickly to/from disks. My own reasonably high-end system has 4.5 TB of internal solid state storage that can sustain 3 to 4 gigabytes per second data transfer. That’s upwards of 4,000 megabytes per second.

Networks, in a practical sense, handle tens of megabytes per second. Doing mental math, you might feel that your network should be able to handle hundreds of megabytes per second, but do some practical measurements (e.g., with Resource Monitor) during e.g. a file backup. You will likely see your effective data rates in the single megabytes per second range. The reality does not often match or even come close to theoretical maximum speeds.

These data sizes and rates are in different ballparks. Strike 1 against network attached storage.

A network link is a connection between computer systems. It may use wired connections that have poor wires or dirty / corroded connections, and / or running across wifi – that’s a radio signal, subject to all kinds of interference from lightning noise to your home wireless phone to other wifi networks to solar flares.

The reality here is that even in the best of cases your network gear can experience errors. Networking protocols are designed to retry and correct these errors (and they may not be perfect implementations). All that comes at a cost. Sometimes the error correction cuts into effective speed and sometimes it just causes failures to copy data, either copying with errors or failing out of the software entirely. Remember, you may be trying to copy data between two different operating systems too (e.g. Windows on your device, Linux on your NAS). Strike 2 against NAS.

NAS systems are likely more open to connection from other devices in your LAN, and now we have increased vulnerabilities as these NAS systems become more IoT and bridge the gap between inside your LAN – generally a safer place – and the wild internet, where everything and everyone are connected together… Seems like strike 3 to me.

There are many more details to all this that I haven’t touched on.

-Noel

Reply | Quote

My ThinkPad P52 + Synology DS920+ can transfer an actual 925Mbps during backups (3h for 1TB). I admit that if my P52 storage was fully loaded, it would take 10h+ to do a 3.5TB full backup.

At that point, some files I keep local would be permanently hosted on the NAS (like my software package archive) and I would do less Full backups and more Differentials/Incrementals and off-site Full backups. Use good backup software and *TEST YOUR BACKUPS*, of course! A good backup solution will encapsulate, transfer and verify your data.

If NAS aren’t the solution, what is? Do you know high-capacity (20TB) storage arrays that can be used to backup multiple computers automatically at a similar price point?

Martin

Reply | Quote

I prefer to plug USB hard drives in myself. Western Digital MyBook (not Cloud editions), each system having at least one. This gives advantages like pretty well-integrated bare metal backup restoral and higher throughput.

With multiple computer systems on the LAN you could even do things like back up between systems, with the advantage that you control the OS.

And FWIW, I can copy individual large files between systems and nearly saturate the gigabit Ethernet, but real backups don’t tend to approach that speed for a variety of reasons, which does also apply (but perhaps a bit less so due to caching) to a locally attached disk drive.

-Noel

Reply | Quote