Western Digital NAS Devices Vulnerable to Five Critical Flaws

• Researchers discovered five highly critical vulnerabilities in Western Digital NAS devices.
• The flaws are all RCEs, allowing remote actors to access them and run code with root privileges.
• There’s a fixing patch out, but the update needs to be applied manually from the admin panel.

If you’re using Western Digital NAS (Network-Attached Storage) devices, you should update immediately to the patch released by the vendor on October 27, 2020, or later. The reason for this emergency is the existence of five critical vulnerabilities discovered by Comparitech’s security research team, who carried out its investigation at the beginning of September.

The researchers examined firmware version 2.40.155, which was the latest available at the time, and found the following five flaws:

• CVE-2020-25765 – Remote code execution vulnerability in reg_device.php due to insufficient validation of user input. CVSS score: 9.8 (critical)
• CVE-2020-27158 – Remote code execution vulnerability in cgi_api.php that allowed the escalation of privileges. CVSS score: 9.8 (critical)
• CVE-2020-27159 – Remote code execution vulnerability in DsdkProxy.php due to insufficient sanitization and insufficient validation of user input. CVSS score: 9.8 (critical)
• CVE-2020-27160 – Remote code execution vulnerability in AvailableApps.php that allowed the escalation of privileges. CVSS score: 9.8 (critical)
• CVE-2020-27744 – Remote code execution with resultant escalation of privileges. CVSS score: 9.8 (critical)

After discovering these flaws, the researchers scanned Shodan to figure out how many Western Digital NAS devices were vulnerable to exploitation. The total number they got is 86,362, with most of the vulnerable devices being based in the United States, the United Kingdom, Canada, the Netherlands, and Germany.

Western Digital was informed of the vulnerabilities immediately and released a fixing patch two weeks ago. The update is not automatic, so the users must log in to the admin interface and apply it manually. This is very important as the discovered flaws could lead to DDoS attacks, botnet takeover incidents, and data access.

In addition to applying the update, the researchers also recommend that you set up exclusive access to the NAS device through a VPN so that nobody else will access it and try to execute code on it. Finally, it is worth noting that the researchers of Comparitech only focused on remote code execution vulnerabilities, so there could be more flaws of other types affecting WD NAS devices.