If you’re using Western Digital NAS (Network-Attached Storage) devices, you should update immediately to the patch released by the vendor on October 27, 2020, or later. The reason for this emergency is the existence of five critical vulnerabilities discovered by Comparitech’s security research team, who carried out its investigation at the beginning of September.
The researchers examined firmware version 2.40.155, which was the latest available at the time, and found the following five flaws:
After discovering these flaws, the researchers scanned Shodan to figure out how many Western Digital NAS devices were vulnerable to exploitation. The total number they got is 86,362, with most of the vulnerable devices being based in the United States, the United Kingdom, Canada, the Netherlands, and Germany.
Western Digital was informed of the vulnerabilities immediately and released a fixing patch two weeks ago. The update is not automatic, so the users must log in to the admin interface and apply it manually. This is very important as the discovered flaws could lead to DDoS attacks, botnet takeover incidents, and data access.
In addition to applying the update, the researchers also recommend that you set up exclusive access to the NAS device through a VPN so that nobody else will access it and try to execute code on it. Finally, it is worth noting that the researchers of Comparitech only focused on remote code execution vulnerabilities, so there could be more flaws of other types affecting WD NAS devices.