So, who at WD messed-up on the last few updates to put a script into the firmware that allows unauthenticated file uploads and is there any knowledge of any compromised WD MyClouds?
How many days since the release of this exploit to when WD’s released this very uber-urgent security update?
An assumption is that once the fix is installed on a compromised WD MyCloud system then the compromise code would be removed?
For me the update to 2.30.181 went well.
EDIT: Think I found my answer in: WD My Cloud NAS devices have hard-wired backdoor
So it’s been discovered January 8th and update released January 18th.
So, which Western Digital employee has been royally kicked in the backside for leaving a deliberate back door into the MyCloud firmware since version 2.30.165 or before?
WD’s blog on the matter: https://blog.westerndigital.com/western-digital-cloud-update/
GulfTech advisory: http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125