Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Security Infrastructure

Western Digital User Data Exposed by DNS Issue

A DNS configuration issue on a Western Digital (WD) server supporting the company’s My Cloud NAS products could have been exploited by malicious actors to gain access to potentially valuable user data. WD has taken steps to address the problem.

A DNS configuration issue on a Western Digital (WD) server supporting the company’s My Cloud NAS products could have been exploited by malicious actors to gain access to potentially valuable user data. WD has taken steps to address the problem.

Security researcher John W. Garrett discovered that a WD nameserver hosted at oriondns2.wd2go.com was not configured properly, allowing what is known as a DNS zone transfer.

The Domain Name System (DNS), the system that maps host names to IP addresses, allows a DNS namespace to be divided into different zones, represented by files that contain all the records for a specific domain. Zone transfer is the process of copying the content of a zone file from a primary DNS server to a secondary server.

Since these zone files contain information that could be useful to an attacker, experts recommend disabling zone transfer for public DNS servers. If the nameserver, the web server that runs DNS software, is incorrectly configured, an attacker can conduct a zone transfer and gain access to the zone file.

Garrett told SecurityWeek that WD’s oriondns2.wd2go.com nameserver allowed for a zone transfer of wd2go.com, giving access to the domain’s zone file. The researcher found that the zone file contained over 5.9 million records, including more than 1.1 million unique IP addresses and associated hostnames belonging to WD My Cloud users.

According to Garrett, the fact that the zone file was accessible did not pose a major security risk on its own. However, the expert pointed out that the information would have been highly useful for a malicious actor looking to exploit a zero-day vulnerability in WD My Cloud products, as it provided the attacker a long list of vulnerable users.

“Taken into account with what will be typically stored on a device like this and you have an astronomical loss of pictures, private details, banking information, etc,” Garrett said.

WD said it corrected the configuration and eliminated the vulnerability within hours of being notified by the researcher. The same issue was also addressed on a second server.

The company said it scanned all of its servers to ensure that they are not exposed by similar issues, and reviewed the architecture and processes in place for modifying the configuration of nameservers.

“In addition, we performed an architecture and code review to measure the potential impact of other risks identified by the security report. Based on that review, we have prepared a balanced response that, in the event of detection of any active attacks, will mitigate those identified risks while minimizing potential disruptions to our customers,” WD said in an emailed statement.

Garrett also advised WD to release a software patch to change the hostname of each exposed device, but the vendor determined that the process introduces other problems that outweigh the security risks, especially since there is no evidence that someone other than the researcher accessed the zone file.

“We sincerely thank John W. Garrett for engaging Western Digital to responsibly disclose this concern in a manner that puts our customers and their security first. We highly value and encourage this kind of responsible community engagement and collaborative problem-solving because it ultimately benefits our customers by making our products better. We encourage all security researchers to report potential security vulnerabilities or concerns to WD Customer Service and Support,” WD said.

Many vulnerable servers in the wild

WD’s misconfigured nameserver is just one of the many identified by Garrett. The researcher said he scanned a total of 6.8 million domains and identified over 508,000 vulnerable domains and more than 130,000 vulnerable nameservers.

“The main theory is that if a given nameserver allows for zone file transfer for more than one host; odds are good that the nameserver is misconfigured and will give away zone files for all hosts it resolves for,” he explained.

Garrett harvested the zone files using a tool he developed. The dataset has been made available on the Internet-Wide Scan Data Repository (scans.io) hosted by the Censys Team at the University of Michigan.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Funding/M&A

Identity and access governance vendor Saviynt has closed a $205 million financing round.

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture

ICS/OT

Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

ICS/OT

The White House announced on Wednesday that the Industrial Control Systems (ICS) Cybersecurity Initiative has been expanded to include the chemical sector.

Incident Response

Created and maintained by MITRE, MITRE D3FEND is a framework that provides a library of defensive cybersecurity countermeasures and technical components to help organizations...