Western Digital, Synology NAS Vulnerabilities Exposed Millions of Users’ Files

Critical vulnerabilities discovered by IoT and industrial cybersecurity firm Claroty in Western Digital (WD) and Synology network-attached storage (NAS) products could have exposed the files of millions of users.

The vulnerabilities and their exploitation was demonstrated at the Zero Day Initiative’s Pwn2Own Toronto hacker contest in December 2022, where participants earned a total of nearly $1 million for hacking smartphones, printers, routers, NAS devices, and smart speakers.

Both vendors have pushed out patches (in some cases automatically) and published advisories to inform customers about the vulnerabilities. Synology released one advisory and WD published three advisories, in December, January and May.

In the case of WD, Claroty researchers found a way to enumerate all cloud-connected NAS devices, impersonate them, and gain access to each system through the vendor’s MyCloud service. An attacker could have exploited the vulnerabilities to remotely access user files, execute arbitrary code, and take full control of cloud-connected devices. 

“First, we enumerate all of the devices GUID, and choose our target list. We then impersonate the device, stealing its cloud tunnel and disconnecting the device. Any requests performed to the device will now reach us, giving us the authentication tokens for the device admin,” Claroty explained. 

It added, “Using our newly gained permissions, we created a new share on the device, mapping it to the /tmp directory. We then write our reverse shell payload to that directory, and invoke a reboot through the cloud. Whenever the device will reboot, our payload will be executed, resulting in us executing code on the device.”

The cybersecurity firm also found vulnerabilities that allowed it to impersonate Synology NAS devices and force the QuickConnect cloud service to redirect users to a device controlled by the attacker. 

An attacker could have leveraged the flaws to steal credentials, access user data, and remotely execute arbitrary code, giving them control over the device and the ability to launch further attacks. 

Claroty’s analysis showed that millions of WD and Synology NAS devices were vulnerable to attacks. 

Both the WD and Synology exploits were possible due to “weak device authentication based on publicly known information rather than secrets”, and Claroty believes similar issues likely impact devices from other vendors as well.

The company has published separate blog posts describing the WD and Synology vulnerabilities. 

Related: CISA Says Critical Zyxel NAS Vulnerability Exploited in Attacks

Related: 30k Internet-Exposed QNAP NAS Devices Affected by Recent Vulnerability

Related: QNAP Warns of New ‘Deadbolt’ Ransomware Attacks Targeting NAS Users