About CVE-2018-17153 vulnarability that's been fixed in v2.30.196 of the DL firmware

So, for how long has this particular security vulnerability known about by WD where it can let the entire planet have Admin access to the DL’s firmware?



Here is an interesting question. Can’t test it now as I’ve applied the latest firmware. The default admin username is “Admin”. Would the vulnerability work if the user-name of the admin account was changed to something other than “Admin”?

From my tests with a MyCloud Mirror 1st Gen (which most likely share the same code base with others of the 2.11.x/2.30.x devices) it will work with every valid username (only tested with the ones having admin permissions).

But that is no big problem as you can easily enumerate valid usernames from the exposed Samba server.

… but who would have the Samba server directly accessible to the Internet? A vulnerability of the Samba server should be contained within the local area network? (Have I missed something here?)

Sure, this would require the Samba server to be accessible from the internet (which is not quite uncommon).

But if the Samba server is not accessible from the internet and only the Web GUI you can still brute-force valid usernames from the outside, the exposed Samba server would make it only easier.