Western Digital is urging customers to update their WD My Cloud devices to the latest available firmware to keep receiving security updates on My Cloud OS firmware reaching the end of support.
“On April 15, 2022, support for prior generations of My Cloud OS, including My Cloud OS 3, will end,” the company said this week.
“If your device isn’t compatible with My Cloud OS 5, you will lose remote access and will only be able to access it locally. Devices on these older firmware versions will not receive security fixes or technical support.”
Western Digital advises customers to protect their data from attackers after the firmware is no longer supported by backing up their devices, disabling remote access, disconnecting it from the internet, and choosing a unique and strong password.
Those who have eligible devices can update them to My Cloud OS 5 (which will be supported at least until the end of 2026) before the end of support date.
If the device isn’t compatible with the My Cloud OS 5 firmware, they can consider upgrading to a device that is.
“My Cloud OS 5 is a major and fundamental security release that provides an architectural revamp of our older My Cloud firmware and adds new defenses to thwart common classes of attacks,” Western Digital says.
“We will not provide any further security updates to the My Cloud OS3 firmware. We strongly encourage moving to the My Cloud OS5 firmware.”
20% discount coupons for upgrades
For details on finding if you have a device compatible with My Cloud OS 5, you can check the Firmware Availability and Supported Devices support page.
To make it easier to upgrade to a supported My Cloud device, in January 2022, the company will send 20% discount coupons to customers with devices that aren’t compatible with My Cloud OS 5 via email.
You will not be required to return your old device to use the coupon, which will be usable for 90 days to buy one of the qualifying products: My Cloud Home (8TB), My Cloud EX2 Ultra (16TB, 24TB, 28TB) or My Book (12 TB).
To underscore the risks of running unsupported firmware, in July, Western Digital warned of ongoing attacks targeting My Book Live and My Book Live Duo devices.
In some cases, these attacks led to all data from hacked devices being erased after the attackers triggered an unauthenticated factory reset vulnerability (CVE-2021-35941).
The threat actors deployed trojan malware on other compromised devices using exploits targeting a second bug, a critical root remote command execution flaw tracked as CVE-2018-18472.
The vulnerabilities exploited in these attacks were limited to the My Book Live device series that received the final firmware update in 2015.
Source: www.bleepingcomputer.com