Western Digital has made the decision to block devices running vulnerable firmware versions from accessing its cloud services. The move comes after the company released firmware updates for its My Cloud product line last month in order to address a critical path traversal bug that could potentially lead to remote code execution (RCE).
According to an advisory from Western Digital, devices running unpatched firmware versions will no longer be able to connect to the company’s cloud services starting June 15, 2023. Users will also be unable to access their data until their device has been updated to the latest firmware. However, users can still access their data via Local Access, which allows for access through network-mapped drives on a local network.
The critical path traversal bug, tracked as CVE-2022-36327, has a severity rating of 9.8 on the CVSS scale. Exploiting this vulnerability could allow an attacker to write files to locations with certain filesystem types and ultimately lead to remote code execution on Western Digital’s My Cloud Home, My Cloud Home Duo, ScanDisk ibi, and My Cloud OS 5 devices.
To exploit the vulnerability, an authentication bypass issue must first be triggered. The affected devices include My Cloud Home and My Cloud Home Duo (before version 9.4.0-191), ScanDisk ibi (before version 9.4.0-191), and My Cloud OS 5 (before version 5.26.202).
In response to the bug, Western Digital released a firmware update for My Cloud OS 5 on May 15. The update, version 5.26.202, not only addressed the critical path traversal bug but also resolved three other medium-severity issues. These additional issues included uncontrolled resource consumption that could lead to denial-of-service (DoS) attacks, path traversal leading to sensitive information disclosure, and server-side request forgery (SSRF) bugs that could potentially be exploited to target other vulnerabilities.
Furthermore, on May 25, the company released firmware version 9.4.1-101 to fix the SSRF bug in My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices.
The decision to block devices with vulnerable firmware from accessing cloud services comes after the recent breach of Western Digital’s network. In a leaked set of screenshots, ransomware group BlackCat claimed to have stolen data from the company’s breach. The screenshots included videoconferences and internal emails from the company, as well as an image of a recent meeting where Western Digital was discussing how to respond to the cyberattack.
Western Digital had previously disclosed the breach on April 3, stating that an unauthorized third party had gained access to several of their systems. As a precautionary measure, the company took down certain systems and services, including My Cloud, My Cloud Home, My Cloud Home Duo, My Cloud OS 5, and ScanDisk ibi.
In response to the screenshots released by BlackCat, the group announced that it would eventually put Western Digital’s intellectual property up for sale. However, there have been no further updates on the matter, and it is unclear if any ransom demands have been made.
By blocking devices with vulnerable firmware from accessing its cloud services, Western Digital is taking proactive measures to protect its users’ data and prevent any potential exploitation of the critical path traversal bug. Users are strongly urged to update their firmware as soon as possible to ensure uninterrupted access to the company’s cloud services and secure their data from potential attacks.