Multiple Critical Vulnerabilities Fixed in WD My Cloud OS 3

Western Digital has fixed three critical vulnerabilities (one of which has a CVSS score of 9.8) in WD My Cloud OS 3. The bugs allow hackers to steal data and remotely take over devices running this OS.

The first vulnerability, CVE-2021-40438, allows unauthenticated remote attackers to force devices to redirect requests to servers of the hackers’ choice. Like the other two bugs, the problem affects the Apache HTTP server version 2.4.48 and earlier.

Attackers have previously used this bug to steal hashed passwords from a vulnerable system, and a PoC exploit for this vulnerability has long been available on GitHub.

The bug with a score of 9 out of 10 on the CVSS scale is of the SSRF type, so it is related to server-side request forgery.

The CVE-2021-39275 vulnerability already mentioned above, which scored 9.8 on the CVSS scale, is classified as critical and allows remote attackers to crash vulnerable systems and execute arbitrary code.

Two more issues, CVE-2021-36160 and CVE-2021-34798, also crashing remotely vulnerable systems.

Interestingly, the Apache developers released fixes for these bugs back in October last year, and it’s not entirely clear why it took Western Digital four months to include these patches in their OS.

However, last year Western Digital unveiled a plan to phase out My Cloud OS 3. That is, by now, users of devices with the old OS that are compatible with My Cloud OS 5 had to upgrade to the new version. If this was not done, users lose the ability to connect to their devices via the Internet, receive security updates and technical support.

Let me remind you that we also wrote that Reserchers discovered in Google Cloud, AWS, and Azure Explore 34 Million Vulnerabilities. You might also be interested to know what Amazon Introduces Access Analyzer is Cloud Basket Security Monitoring Service.