DL-4100 My Cloud Security Issue

Hello,

Our security firm just flagged our My Cloud for a security concern. The notice is below:

Upgrade to libupnp version 1.6.18 or later. If libupnp is
used as a third party library by a different application,
contact the vendor of that application for a fix.

I called support and they said this was not supported. Our firmware is up to date but they told me that would not help with this. Anyone else run into this issue?

Hello jlm31600;

You were informed correctly by our support staff regarding your issue related to libupnp.

Are you using any third party application/software that precedes Libupnp as a library to play media files or connect to other devices within a user’s network?

Also, have you tried contacting libupnp for updates?

Would turning off DLNA Media make any difference with this vulnerability?

Hi jlm31600,

You can give it a try.

This has got my interest. Are you going to turn off the DLNA media server that’s part of the firmware or is this a third party app that has a DLNA server, like Plex, and it’s that which is being disabled?

The DLNA media server option under the My Cloud portal. Settings > Media > DNLA Media Server

Right. That one. I don’t use it. Using Plex. It’s far better and Plex regularly updates it. No need to wait for it to appear on the WD App Store. Download it from Plex’s site and manually update,

@alex.singh, it’s not a third-party app that’s the problem as such. Yes, it’s the Twonky media server, but it’s one that’s bundled with the MyCloud firmware and the only way to update that is for a official firmware update from Western Digital. As it’s a not a app downloaded from the WD App Store then I would believe it’s the responsibility of Western Digital to get a updated copy of Twonky as soon as possible and then release a firmware update, hopefully with the other security holes (aka. SambyCry?) also closed.

It is astounding to me that WD’s official responses, be it through press releases, white-papers, support documents, or support staff on forums would tell its customers that the product contents which WD sells them are not within the support scope of WD; that it is the customers responsibility to chase WD’s vendors (even if that vendor is just some anonymous GitHub repository) to correct WD’s implementations, oversights, and neglect.

WD’s stance and commitment towards its firmware/software engineering and security is plainly deplorable. This has been demonstrated so solidly just within these forums that there exists no room for a meaningful debate. Qualys screams at these devices.

The only option I see at this point is to eat the loss of the product purchase and switch to a more supportable platform.

If WD’s position is that we customers should be chasing the creators and owners of components used within WD’s products in said product’s WD-shipped default state then they better (and quickly) move to completely open that product to have its components and firmware modified as the end user sees fit without negative consequences for that end-user on his claims of warranty rights.

WD should enable us end-users the access to the tools needed for us to craft, re-craft, modify, and replace the outdated and abandoned firmware that it ships as most current for their devices. WD should encourage the growth of a healthy 3rd party firmware environment which has more skills, dedication, and resources than WD is interested in delivering. Alternatively WD might be better served by not even trying to create their own NAS software/firmware OS. Adopt something that already has wider and timely support: 58 Top Open Source Storage Projects - Info Stor®

Is this going to happen? Probably not. So the best option is to eat the loss of the product purchase and switch to a more supportable platform.

WD will never see me as a customer again until I see positive changes demonstrated over an extended term. Likewise, I will advocate strongly against WD a vendor in my sphere. I encourage you all to do the same.

And now we have news of a backdoor: WD My Cloud NAS devices have hard-wired backdoor • The Register

WD, please get your act together.

https://blog.westerndigital.com/western-digital-cloud-update/

FWIW I cannot login with mydlinkBRionyg with the password abc12345cba
Firmware 2.30.172

@SBrown, any chance you can kick people up the back-side as what I have successfully done is denial of service by changing the language of the entire Web UI to something that does not work. It took me a short while to somehow navigate an Web UI that didn’t want to work properly to somehow get into the settings and reset the language back to English.

Which is good, but a few other vulnerabilities and annoyances are present. One of which, moments ago, I thought I managed to brick the Web UI by changing the language to something else, which didn’t work and seemed to leave me with an unusable Web UI.