Major Vulnerability Affects All Western Digital NAS Devices Running OS 3

Western Digital is still reeling from two different major exploits that were used to remotely wipe the hard drives of its My Book Live products, but the headache has not ended. Several other Western Digital NAS drives running its OS 3 also have a vulnerability that the company won't fix.

A new report published by security journalist Brian Krebs found that Western Digital products running the company's My Cloud OS3 software have a zero-day vulnerability that can only be fixed by upgrading to the company's OS 5 (there is no OS 4).

Two researchers named Radek Domanski and Pedro Riberio originally planned to demonstrate the security flaw last year at a hacking competition, but Western Digital released OS 5 which patched out the bug they found before they could. That new update nullified their work because the competition required entries to work against the latest firmware supported by the targeted device.

The two still published their findings in the video below that documents how the two discovered a chain of weaknesses that allows an attacker to remotely update the vulnerable device's software with a malicious backdoor using a low-privileged user account that has a blank password.

The problem can be solved by updating to OS 5, but not all devices that run OS 3 can be upgraded to OS 5, and not everyone who owns a device that runs OS 3 wants to upgrade because of changes that the company made to the user experience. Photographers in particular were negatively affected.

Not long after OS 5 was released, users began to complain that the upgrade to was causing major usability issues. In a report from MacWorld, some alleged that upgrading required the complete deletion of storage media and that numerous functions that were beloved and used by the community were missing. For example, some reported taht they could no longer access data via the desktop app, WebDAV, or remote dashboard nor were they able to organize the backups via WD SmartWare or WD Sync.

Additionally, OS 5 appeared to break numerous third-party apps that were developed for the system. According to MacWorld , the integration of cloud services from Google, Dropbox, One Drive, and Adobe were also eliminated.

Beyond these issues, photographers in particular reported issues with some who reported unending indexing for thumbnail generation that even froze the devices.

"I have EX2 Ultra 8TB about 1.2TB of data. It has been more than 24 hours indexing. What is going on?" one user reported.

"My fans have been running at 10k RPM solid since yesterday afternoon. I’m watching the HDD temps closely in case the fan craps out," said another.

"Photography is my hobby. I am using HOME-NAS to store and backup my photos. So I have at least more than 40,000 photos on hand, .jpg, .psd, or .raw," one user reported. "To be honest, I don’t need a thumbnail at all. I just want my photos to stay safe and I can reach them anywhere (of course with internet). But I don’t have an option to turn the thumbnail off. So now it seems that indexing would not stop, and My Cloud mobile app doesn’t work totally."

For these reasons, many photographers urged each other not to upgrade from OS 3 to OS 5 because of the issues.

"The My Cloud OS 5 release is a major upgrade that comprehensively upgrades the security architecture of the My Cloud operating system. Like all major operating system upgrades, the upgrade from OS 3 to OS 5 introduced new functionality and retired some older features that were infrequently used or had security concerns. Since the initial release in October of 2020, we have released updates to My Cloud OS 5 every month to respond to customer feedback, address issues, and restore top-used functionality that was omitted from the original release," a Western Digital representative told PetaPixel.

"To clarify, the upgrade from My Cloud OS 3 to OS 5 has never required complete deletion of storage media. In other cases, functionality is now provided in a different form or application; for instance, the WD Sync and SmartWare applications have been replaced with Acronis True Image for Western Digital, which offers backup and ransomware protection in a single application for Windows and Mac computers. We believe that My Cloud OS 5 offers the best and most secure personal cloud experience we’ve ever released and continue to recommend that all eligible OS 3 users upgrade as soon as possible."

Western Digital says that the best fix is simply to upgrade to OS 5, which for many doesn't feel like a solution since that operating system hurts them more than it helps. Unfortunately, Western Digital has openly stated that it has no plans to update OS 3 to fix the problem so that those who still enjoy the many features of that older operating system can also be protected.

If a device doesn't support the upgrade, Western Digital recommends simply buying a newer system.

"We will not provide any further security updates to the My Cloud OS3 firmware," the company has stated on a support page. "We strongly encourage moving to the My Cloud OS5 firmware. If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5."

PetaPixel reached out to NAS manufacturer Synology to ask if Western Digital's approach to ending support for physical devices -- like My Cloud Live or any device that cannot upgrade to OS 5 -- was standard in the industry.

The short answer is no, it's not a standard practice.

"Synology continues to support our NAS devices and DSM past the production life of any given model. The hardware is protected by a minimum two-year warranty, and we continue to offer technical support and DSM updates past the warranty period," a Synology representative said.

"No matter what piece of tech users are looking to buy, they should always look at the security update guarantees from the vendor. Considering a company’s stance on security and seeing a history of consistent updates and follow through should be a part of everyone’s buying process."

Western Digital's NAS offerings were likely chosen over products from Synology due to a mix of brand recognition and the ease of use promised by the My Cloud platform. Synology's system is more powerful and more easily customized, but it's not generally seen to be as user-friendly. Clearly, there is a tradeoff though, as Western Digital has repeatedly shown that it will sunset hardware by not supporting it with software updates beyond the production life of the product.

For those who own a device running OS 3 and cannot or do not want to upgrade to OS 5, Domanski and Ribiro developed a free patch to keep the devices safe. Unfortunately, it will have to be reapplied each time the device is rebooted. The drives can also be kept safe by unplugging them from the internet.

#equipment #news #criticalfailure #deletions #disconnect #disconnectnow #exploit #factoryreset #hack #hackers #hacks #harddrive #internet #investigation #massdeletion #mybooklive #mycloudos3 #mycloudos5 #reddit #storage #unplug #unplugnow #vulnerability #warning #wd #wdmybooklive #westerndigital

This Week in Security: Bad Signs from Microsoft, An Epyc VM Escape

Code signing is the silver bullet that will save us from malware, right? Not so much, particularly when vendors can be convinced to sign malicious code. Researchers at G DATA got a hit on a Windows kernel driver, indicating it might be malicious. That seemed strange, since the driver was properly signed by Microsoft. Upon further investigation, it became clear that this really was malware. The file was reported to Microsoft, the signature revoked, and the malware added to the Windows Defender definitions.

The official response from Microsoft is odd. They start off by assuring everyone that their driver signing process wasn't actually compromised, like you would. The next part is weird. Talking about the people behind the malware: "The actor’s goal is to use the driver to spoof their geo-location to cheat the system and play from anywhere. The malware enables them to gain an advantage in games and possibly exploit other players by compromising their accounts through common tools like keyloggers." This doesn't seem to really match the observed behavior of the malware -- it seemed to be decoding SSL connections and sending the data to the C&C server. We'll update you if we hear anything more on this one.

Escaping the KVM

Let's talk virtualization, specifically a flaw in the KVM code for AMD hardware. There's a few distinctions to cover that makes this more understandable. First, virtualization in Linux is split into two distinct parts. The Kernel Virtual Machine (KVM) is the driver that runs in the kernel, and handles the heavy lifting, like memory management, scheduling, and sending control instructions to the CPU. The other half is the userspace part, the widest use project here being QEMU. This vulnerability is notable because it's in KVM code itself, meaning that it runs in kernel space.

Our bug revolves around how the VMRUN instruction is handled in a nested virtualization environment. This instruction takes a block of data and initializes a new running VM. When it's called from withing an already running VM, that data is sanity-checked, and then copied before being passed on to the underlying KVM. This process is the potential problem, because the check-then-copy process isn't an atomic process. In other words, it's possible to modify the nested VM initialization data after the checks are performed, but before the data is actually sent down the virtualization stack -- it's a Time Of Check, Time Of Use (TOCTOU) vulnerability.

There's one more important concept. The KVM module on the bare metal handles the bring-up of all VMs, even nested ones. All VMRUN calls have to go through the hypervisor kernel, to get hardware virtualization acceleration. One bit of the VMRUN data is an indicator whether the KVM is supposed to do the interception of this instruction. Setting that bit to 0 isn't supported, and just cancels the process. The problem is when a nested VM calls this command, but a process in the outer VM manages to change the bit to 0 after checks. This results in code being run in an unintended way, overwriting the outer VM's configuration with the inner VM data.

To actually exploit this TOCTOU bug, the outer VM permissions get overwritten, giving the VM greater access to the underlying hardware. One of those permissions allows the VM to overwrite the saved context address for a VMEXIT call. So with a few other tricks, the VM can use the TOCTOU flaw to give itself this permission, construct a malicious context and trick the bare metal KVM process to switching into that malicious context, giving the attacker control over the system. I've glossed over a bunch of details here, so if you want the full details, go check out the full write-up, expertly put together by [Felix Wilhelm] of Project Zero.

Linkedin Data

A database of 700 million Linkedin users has shown up for sale on a forum, with one million samples released as evidence of good data. Certain sites are calling this a breach, which isn't entirely correct, as the data seems to be scraped from the Linkedin API and it doesn't include password hashes or private messages. This seems to be essentially the same data set as was reported back in April, possibly updated with fresh entries to make up the difference in numbers.

The My Book Story Continues

Last week we told you about the My Books that were being wiped remotely, and I speculated that it could be a ransomware campaign gone wrong. It seems like it wasn't ransomware at all, but someone covering their tracks after a remote exploit. There are actually two vulnerabilities at play here. The previously known CVE-2018-18472 seems to have been used to install a malicious binary on internet-accessible devices. It's not yet known what exactly that binary did, but probably something resembling botnet activity. Regardless, a second 0-day vulnerability, CVE-2021-35941, was used to trigger a remote factory reset. An early theory was that the binary was deployed by one attacker, and someone else triggered the reset, but WD's analysis found that in some cases, both attacks were launched from the same IP. Hopefully more of the story will come to light as the binary is investigated.

Zyxel 0-day

Zyxel has published a response to a recent spate of device compromises. Their response is very short on details so far, most notably lacking a CVE, the details of a vulnerability being exploited, or firmware that actually fixes the vulnerability.

The threat actor attempts to access a device through WAN; if successful, they then bypass authentication and establish SSL VPN tunnels with unknown user accounts.

The post is very heavy on how to prevent attackers from accessing an exposed web interface from the Internet, but it seems to me that the big question is how an attacker could trivially "bypass authentication". It's possible that attackers are simply running through a password list, and there isn't sufficient rate-limiting in the Zyxel firmware. I suspect, though, that this is a 0-day vulnerability being exploited in the wild.

As far as I can tell, it's over a week since this notice was first announced, and Zyxel still hasn't revealed whether they have a 0-day at play. That's irresponsible. Then again, Zyxel doesn't exactly have the best record for product security.

RPM's Problem

Ah, the Red Hat Package Manager. In some ways, it defined what a Linux distribution should look like, with decent software management and hard-to-break updates. Seriously, if I could change only one thing about the non-free operating systems out there, it would be to move the whole OS to something like RPM or dpkg. Instantly more usable, but I digress.

One of the benefits of the CentOS forks is that more people are looking at some of the under-the-hood code behind RPM-based systems. As a result, problems are found, like the fact that RPM doesn't check for certificate revocation or expiration. That sounds like a terrible vulnerability, but keep in mind that it was simply never part of the plan to use certificate revocation. That feature was never implemented, because it hasn't ever been needed or used. On the other hand, the lack of verification means that if a distro loses control of one of their signing keys, they will have a harder time containing the problem. Either way, patches are being worked on to add the checks to RPM's OpenPGP implementation.

Disable Print Spooler to Avoid PrintNightmares

There was a Windows vulnerability patched in June of this year, CVE-2021-1675, that allowed RCE using the print spooler. It appears that Microsoft's patch was a poor one, preventing one particular exploit, rather than fixing the real problem. Once the patch was pushed as part of patch Tuesday, multiple PoCs have been disclosed, but surprisingly some of them still work! The still-working exploit is being tracked as CVE-2021-34527. A quick glance at the PoCs seems to indicate that it's a way to push an unsigned printer driver into a machine that offers remote printing.

This vulnerability is easy to exploit, and working exploits are available, so expect attackers to add this to their bag of tricks very soon. It's serious enough that Microsoft and CISA are suggesting that we all turn off print spooler altogether on domain controllers, as well as any system that doesn't need to print.

#computerhacks #news #securityhacks #0day #mybooklive #thisweekinsecurity #zyxel

#WesternDigital #MyBookLive: Netz-Festplatten waren über Jahre angreifbar

https://www.heise.de/news/Western-Digital-My-Book-Live-Netz-Festplatten-waren-ueber-Jahre-angreifbar-6123286.html

A western Digital Dev removed code that would have Prevented the mass wiping of Drives last week

https://www.reviewgeek.com/90545/western-digital-removed-code-that-would-have-prevented-global-my-book-wiping/

#WesternDigital #NAS #MyBookLive #hacker #security

A 0-Day, not 2018, WD My Book Live Exploit Was Used to Wipe Devices

According to a new report, Hackers have exploited a 0-day, not the bug discovered in 2018, to mass-wipe WD My Book Live Devices by taking advantage of a piece of code that WD removed that would have prevented it.

Just last week PetaPixel reported that an exploit was discovered through the WD community pages that caused some WD My Book Live users to have all of their data deleted. A further investigation alleges that the data wipes were not caused by just a single vulnerability, but a second critical security bug that let hackers remotely perform factory resets without the use of a password.

According to the investigation, a developer from the Western Digital team actually coded a requirement for a password before a factory reset was performed, but that requirement was later removed.

"The undocumented vulnerability resided in a file aptly named system_factory_restore. It contains a PHP script that performs resets, allowing users to restore all default configurations and wipe all data stored on the devices," arsTechnica reports.

As a point of security in modern tech devices, if a factory reset is desired, the user would need to use a password to properly authenticate the command to delete all stored data. Adding this critical step is supposed to protect users and prevent any malicious entities from accessing or destroying data, and ensures that only the owner could take those actions. It is generally successful in doing so as long as the user's password remains protected.

According to this new report, the WD Developer in question wrote five lines of code to password-protect the reset command and then at some point before the commercial launch of the products, canceled it (or in coding terms, commented it out).

This discovery comes just days after users from all over the world first reported their devices had been affected to which WD posted an advisory on its website and stated the attack used a vulnerability found in late 2018. Since the exploit was discovered years after the company officially stopped supporting the devices, a fix was never issued. It turns out that even if WD had patched that exploit, this other bug would have still allowed hackers to remote delete users' data.

In a statement to arsTechnica , Derek Abdine, CTO of security firm Censys, believes the second exploit which caused the mass deletion was used by a different hacker to "wrest control of the already compromised devices" and prevent Western Digital from being able to release an update to fix the corrupted configuration files. Abdine also states that users who were affected by the initial hack seem to also have been infected with malware that makes the devices a part of a botnet called Linux.Ngioweb.

Western Digital did not immediately respond to the request for comment.

Due to the discovery of the second vulnerability, My Book Live devices are even more insecure and unsafe to use than initially believed. As PetaPixel urged in its original coverage, it is prudent for all who currently own a WD My Book Live to disconnect them immediately from the internet.

#equipment #industry #news #criticalfailure #deletions #disconnect #disconnectnow #exploit #factoryreset #hack #hackers #hacks #harddrive #internet #investigation #massdeletion #mybooklive #reddit #storage #unplug #unplugnow #vulnerability #warning #wd #wdmybooklive #westerndigital