Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Western Digital User Data Exposed by DNS Issue

A DNS configuration issue on a Western Digital (WD) server supporting the company’s My Cloud NAS products could have been exploited by malicious actors to gain access to potentially valuable user data. WD has taken steps to address the problem.

A DNS configuration issue on a Western Digital (WD) server supporting the company’s My Cloud NAS products could have been exploited by malicious actors to gain access to potentially valuable user data. WD has taken steps to address the problem.

Security researcher John W. Garrett discovered that a WD nameserver hosted at oriondns2.wd2go.com was not configured properly, allowing what is known as a DNS zone transfer.

The Domain Name System (DNS), the system that maps host names to IP addresses, allows a DNS namespace to be divided into different zones, represented by files that contain all the records for a specific domain. Zone transfer is the process of copying the content of a zone file from a primary DNS server to a secondary server.

Since these zone files contain information that could be useful to an attacker, experts recommend disabling zone transfer for public DNS servers. If the nameserver, the web server that runs DNS software, is incorrectly configured, an attacker can conduct a zone transfer and gain access to the zone file.

Garrett told SecurityWeek that WD’s oriondns2.wd2go.com nameserver allowed for a zone transfer of wd2go.com, giving access to the domain’s zone file. The researcher found that the zone file contained over 5.9 million records, including more than 1.1 million unique IP addresses and associated hostnames belonging to WD My Cloud users.

According to Garrett, the fact that the zone file was accessible did not pose a major security risk on its own. However, the expert pointed out that the information would have been highly useful for a malicious actor looking to exploit a zero-day vulnerability in WD My Cloud products, as it provided the attacker a long list of vulnerable users.

“Taken into account with what will be typically stored on a device like this and you have an astronomical loss of pictures, private details, banking information, etc,” Garrett said.

WD said it corrected the configuration and eliminated the vulnerability within hours of being notified by the researcher. The same issue was also addressed on a second server.

Advertisement. Scroll to continue reading.

The company said it scanned all of its servers to ensure that they are not exposed by similar issues, and reviewed the architecture and processes in place for modifying the configuration of nameservers.

“In addition, we performed an architecture and code review to measure the potential impact of other risks identified by the security report. Based on that review, we have prepared a balanced response that, in the event of detection of any active attacks, will mitigate those identified risks while minimizing potential disruptions to our customers,” WD said in an emailed statement.

Garrett also advised WD to release a software patch to change the hostname of each exposed device, but the vendor determined that the process introduces other problems that outweigh the security risks, especially since there is no evidence that someone other than the researcher accessed the zone file.

“We sincerely thank John W. Garrett for engaging Western Digital to responsibly disclose this concern in a manner that puts our customers and their security first. We highly value and encourage this kind of responsible community engagement and collaborative problem-solving because it ultimately benefits our customers by making our products better. We encourage all security researchers to report potential security vulnerabilities or concerns to WD Customer Service and Support,” WD said.

Many vulnerable servers in the wild

WD’s misconfigured nameserver is just one of the many identified by Garrett. The researcher said he scanned a total of 6.8 million domains and identified over 508,000 vulnerable domains and more than 130,000 vulnerable nameservers.

“The main theory is that if a given nameserver allows for zone file transfer for more than one host; odds are good that the nameserver is misconfigured and will give away zone files for all hosts it resolves for,” he explained.

Garrett harvested the zone files using a tool he developed. The dataset has been made available on the Internet-Wide Scan Data Repository (scans.io) hosted by the Censys Team at the University of Michigan.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

Joe Levy has been appointed Sophos' permanent CEO, and Jim Dildine has been named the company's CFO.

CISA executive assistant director for cybersecurity Eric Goldstein is leaving the agency after more than three years.

More People On The Move

Expert Insights

Related Content

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Funding/M&A

Responding to Cyber Threats Against Critical Infrastructures: Wired Business Media Acquires Long Running ICS Cybersecurity Conference Series

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.

Security Infrastructure

Instead of deploying new point products, CISOs should consider sourcing technologies from vendors that develop products designed to work together as part of a...

Audits

The PCI Security Standards Council (SSC), the organization that oversees the Payment Card Industry Data Security Standard (PCI DSS), this week announced the release...

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.