If you like the data on your WD My Cloud OS 3 device, patch it now
Western Digital has patched three critical vulnerabilities—one with a severity rating of 9.8 and another with a 9.0—that make it possible for hackers to steal data or remotely hijack storage devices running version 3 of the company’s My Cloud OS.
CVE-2021-40438, as one of the vulnerabilities is tracked, allows remote attackers with no authentication to make devices forward requests to servers of the attackers’ choosing. Like the other two flaws Western Digital fixed, it resides in the Apache HTTP Server versions 2.4.48 and earlier. Attackers have already successfully exploited it to steal hashed passwords from a vulnerable system, and exploit code is readily available.
The vulnerability with a severity rating of 9 out of a maximum 10 stems from a Server-Side Request Forgery. This class of bug lets attackers funnel malicious requests to internal systems that are behind firewalls or otherwise not accessible outside a private network. It works by inducing server-side applications to make HTTP requests to an arbitrary domain of the attacker’s choosing.