Western Digital has just released an hotfix firmware update to resolve the authentication bypass vulnerability (CVE-2018-17153) that had remained unpatched in My Cloud NAS devices for over a year.
This vulnerability allowed anyone to bypass authentication and get administrative access to the router. Once an attacker gains access to a router, they can flash it with customer firmware, change DNS to point users to phishing sites, or perform other malicious activities.
After wide media coverage, Western Digital stated that they would be working on a fix for this vulnerability. Western Digital today posted to the BleepingComputer tweet about the unpatched vulnerability and has stated that a hotfix has been released.
Hi, just a heads up, the recently reported vulnerability in the My Cloud firmware has been addressed with a user-installable hotfix found here: https://t.co/uplC38HOdt This will be included in an over-the-air update as part of the normal upgrade schedule for these product— Western Digital (@westerndigital) September 21, 2018
For those using Western Digital My Cloud NAS devices, you can download the appropriate firmware update from the following list:
Instructions on how to install the firmware update can be found in this security notice.