Year-old vulnerability in WD My Cloud NAS still not patched

Western Digital has not still not patched a year old vulnerability in its My Cloud service, that allows users to access files on their NAS at home over the internet. Through the vulnerability, an attacker can bypass the authentication of the device and login as administrator without requiring a password.

Year-old vulnerability in WD My Cloud NAS still not patched

The vulnerability was discovered by two security researchers who found it independently of each other. They reported the vulnerability to Western Digital in April 2017 and never heard back from the hard disk manufacturer. In July last year, they also disclosed the vulnerability during the Defcon security conference in Las Vegas.

Earlier this year, one of the security researchers stated on Twitter that the vulnerability still wasn’t patched. Because of the lack of a patch, the other security researcher decided to publicly disclose the leak.

After that, Western Digital quickly released a statement saying that it would patch the issue within a couple of weeks. The company also states that an attacker would need access to the local network of the user to exploit the issue or that a user had to change the default settings to allow remote access to the NAS.

My Cloud devices with model numbers EX2, EX4, EX2100, EX4100, EX2 Ultra are vulnerable. As well as the My Cloud DL2100, DL4100, PR2100, PR4100 and the My Cloud Mirror (and 2nd gen).

When Western Digital makes the patch available, is unknown at this moment.