CVE-2021-36224 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2021-36224?

CVE-2021-36224 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to gain root access to Western Digital My Cloud network-attached storage devices by exploiting a default 'nobody' account with a blank password. It affects all My Cloud devices running firmware versions before OS5. This enables complete device compromise and data theft.

📋 TL;DR

This vulnerability allows unauthenticated attackers to gain root access to Western Digital My Cloud network-attached storage devices by exploiting a default 'nobody' account with a blank password. It affects all My Cloud devices running firmware versions before OS5. This enables complete device compromise and data theft.

💻 Affected Systems

Products:

Western Digital My Cloud NAS devices

Versions: All firmware versions before OS5

Operating Systems: Western Digital My Cloud OS

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable. The 'nobody' account with blank password is a default configuration.

📦 What is this software?

My Cloud Os by Westerndigital

View all CVEs affecting My Cloud Os →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device takeover, data exfiltration, ransomware deployment, and use as pivot point for network attacks.

🟠

Likely Case

Unauthorized access to stored files, device configuration changes, and potential data theft.

🟢

If Mitigated

Limited impact if device is isolated from internet and strong network controls are in place.

🌐 Internet-Facing: HIGH - Devices exposed to internet can be easily discovered and exploited remotely.

🏢 Internal Only: MEDIUM - Still vulnerable to internal attackers or malware that reaches the device.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple authentication bypass requiring only network access to the device. Exploit code is publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OS5 and later

Vendor Advisory: https://www.westerndigital.com/support/product-security/wdc-21006-my-cloud-os5-firmware-release

Restart Required: Yes

Instructions:

1. Log into My Cloud web interface. 2. Navigate to Settings > Firmware. 3. Check for updates. 4. Install OS5 or later firmware. 5. Device will reboot automatically.

🔧 Temporary Workarounds

Network Isolation

all

Remove device from internet exposure by placing behind firewall or in isolated network segment.

Disable Remote Access

all

Turn off all remote access features in My Cloud settings.

🧯 If You Can't Patch

Immediately disconnect device from internet and place in isolated VLAN
Implement strict firewall rules to block all inbound access to device ports

🔍 How to Verify

Check if Vulnerable:

Check firmware version in My Cloud web interface under Settings > Firmware. If version is below OS5, device is vulnerable.

Check Version:

ssh nobody@[device_ip] (if vulnerable, will grant access without password)

Verify Fix Applied:

Confirm firmware version shows OS5 or higher in Settings > Firmware. Attempt SSH login with 'nobody' account and blank password should fail.

📡 Detection & Monitoring

Log Indicators:

Failed SSH login attempts
Successful authentication as 'nobody' user
Unusual file access patterns

Network Indicators:

SSH connections to device from unexpected sources
Port scanning activity targeting device

SIEM Query:

source="mycloud" AND (event="authentication" AND user="nobody") OR (event="ssh_login" AND result="success")

📊 Metadata

CVE ID: CVE-2021-36224

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: February 6, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/weekend_destroyer/weekend_destroyer.md Exploit,Patch,Third Party Advisory
https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users/ Exploit,Third Party Advisory
https://www.youtube.com/watch?v=vsg9YgvGBec Exploit,Patch,Third Party Advisory
https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/weekend_destroyer/weekend_destroyer.md Exploit,Patch,Third Party Advisory
https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users/ Exploit,Third Party Advisory
https://www.youtube.com/watch?v=vsg9YgvGBec Exploit,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36224, you might also want to check these: