Western Digital blocks unpatched My Cloud units

Western Digital has blocked units operating weak firmware variations from accessing its cloud providers, the corporate stated in an advisory.

The transfer comes a couple of month after the corporate launched firmware updates for its My Cloud product line to handle a essential path traversal bug that results in distant code execution (RCE).

“Units operating unpatched firmware variations won’t be able to connect with Western Digital cloud providers beginning June 15, 2023, and customers won’t be able to entry their information till the gadget updates to the newest firmware,” the corporate stated.

Customers can, nonetheless, proceed to entry their information by way of Native Entry, the process that permits entry by network-mapped drives on an area community.

Flaw patched in Could

The problem, tracked as CVE-2022-36327 with 9.8 CVSS severity, might enable an attacker to jot down information to places with sure filesystem varieties resulting in distant code execution in Western Digital My Cloud Residence, My Cloud Residence Duo, ScanDisk ibi and Western Digital My Cloud OS 5 units.

The vulnerability required an authentication bypass difficulty to be triggered earlier than it could possibly be exploited. It affected My Cloud Residence and My Cloud Residence Duo: earlier than 9.4.0-191, ScanDisk ibi: earlier than 9.4.0-191, and My Cloud OS 5: earlier than 5.26.202.

Western Digital launched My Cloud OS 5 firmware model 5.26.202 on Could 15, which addressed this bug and three different medium-severity points. These different points included uncontrolled useful resource consumption resulting in denial-of-service (DoS), path traversal resulting in delicate info disclosure, and server-side request forgery (SSRF) bugs that may result in the exploitation of different vulnerabilities.

On Could 25, the corporate launched firmware version 9.4.1-101 to resolve the SSRF bug in My Cloud Residence, My Cloud Residence Duo, and SanDisk ibi units.

Presumably exploited by BlackCat

Final month, ransomware group BlackCat launched a set of screenshots on its leak website that it claimed had been from information stolen from the Western Digital breach.

The photographs included screenshots of videoconferences and inner emails of the corporate. The screenshots additionally included a picture of a latest assembly held by Western Digital the place the corporate was discussing how to reply to the cyberattack.

Western Digital had disclosed the April 3 incident as a community breach the place an unauthorized third social gathering gained entry to a number of of the corporate’s programs. The corporate had additionally stated that it was taking down sure programs and providers offline as a proactive safety measure.

These programs included My Cloud, My Cloud Residence, My Cloud Residence Duo, My Cloud OS 5, and ScanDisk ibi providers as a number of customers reported briefly shedding entry to them.

Following the discharge of screenshots, BlackCat posted a observe stating it might finally put Western Digital’s mental property on sale. There have been no additional updates on the difficulty thereon, with no affirmation of any ransom demanded.