Well, as already explained some posts above (seems i need to repeat stuff here over and over again) you either need to have local access to the device and run code on it (e.g. via SSH) in user space or trick a user with a vulnerable system to visit a malicious web page with his browser.
So now its your turn to explain how those two vulnerabilities have any relevance to a headless WD device where you don’t run a browser and already have root access via SSH and can do whatever you like.
Well anyway the topic is WD is not doing a great job. They have to fix spectre and meltdown and they have to fix all other bugs. The real problem with this company is they are not fast in reacting to such problems.
Exactly what i’m saying already multiple times here. The CPU (Meltdown / Spectre) vulnerabilities don’t have any relevance for the WD devices:
You need local access to be able to abuse those vulnerabilities and if you have that access (either via some sort of allowed access via SSH or by using another vulnerability) there is no point in abusing those as you already go everything you need.
This discussion seems to have degenerated off into several tangents covering a variety of separate issues.
Yes this support forum layout is not ideal due in part to how WD has named their products. It has been a common complaint for years that WD is causing confusion with their product and firmware naming structure. WD should have a general thread for general discussions covering all of the My Cloud devices but they do not appear to have one. Many people erroneously come into this subforum thinking its a general forum to discuss issues with multi bay My Cloud units when technically its not.
With respect to the Meltdown and Spectre vulnerability. If the My Cloud processor is affected then the Meltdown and Spectre vulnerability are an issue even if one needs direct access to the device to issue the commands to exploit that specific vulnerability. The My Cloud line uses a number of different processors. Don’t know if there is a specific listing of what processors are affected by Meltdown and Spectre other than general listings like this one listing Intel processors:
WD typically doesn’t comment on specific security issues in these subforums other than to say they are looking into it, or to contact them directly, or that they’ve issued a firmware update to address the issue. There are valid reasons to not do so from a business standpoint just as there are valid reasons to inform one’s customers to specific vulnerabilities and how to mitigate them.
Right now there is a lot of hype, speculation, and potential fear mongering (not necessarily by anyone here) being spread on the Meltdown and Spectre and the various specific vulnerabilities of the My Cloud firmware.
Are these vulnerabilities serious? Yes. Should we My Cloud users be concerned about them? Yes. Should WD fix them ASAP? Yes. Should we toss out our My Cloud’s or not buy them because of these vulnerabilities? That is open to debate and everyone has their own opinion. It is important to remember that for most if not all these vulnerabilities it will require direct access to the My Cloud on the local network or for the user to visit a website that has been compromised with the specific malicious code that is targeting the My Cloud devices.
While I’m not diminishing the seriousness of the vulnerabilities discussed above, The reality is that the chances of a My Cloud being affected by these vulnerabilities is probably very slim for most users. If users take some basic common sense precautions (some of which has been previously discussed), the chances are significantly lessened they’ll ever be affected by these specific vulnerabilities, while we await WD to push out firmware that plugs these vulnerabilities.
No pissing contest, just a HUGE misunderstanding. Just to clarify:
I already had agreed on this multiple times before you even had posted this.
But this is the major part and the base of the discussion here about Meltdown / Spectre and probably lead to the misunderstanding. We’re talking here about “My Cloud - Personal Cloud Storage” devices, and all the devices i got a hand on from this product line has ONE single user (which is root). This is a product line for end-users / consumers and not a enterprise grade one where multiple less privileged users are working on the device.
If the discussion about Meltdown / Spectre is extended to multi-user WD devices then those vulns have for sure a relevance for those additional devices.
“UPDATE: In a blog post, Western Digital says all issues reported by GulfTech were fixed in firmware version 2.30.172, and not 2.30.174, as Bercegay claimed.”
Per the WD blog link:
“These had been disclosed by a security researcher directly with our team in 2017, and critical issues mentioned in these recent articles (gulftech.org; thehackernews.com) were addressed in 2017 with firmware update v2.30.172 and above. Minor issues are being addressed in future updates. Additionally, the My Cloud Home model architecturally is designed new from the ground up and we are not aware of any vulnerability to the security issues listed in the respective reports.”
While not for the My Cloud one can check their Windows PC to see if the computer’s processor is affected by Spectre or Meltdown vulnerabilities. As time goes on they’ll probably be additional tools to check if one’s system is affected.
Per the link for those who don’t want to click on it:
One of those issues currently being addressed for a future update is that certain My Cloud models (only with firmware versions 2.xx but not My Cloud Home) with default settings could be exploited by a sophisticated hacker in the unlikely event such hacker has access to the owner’s local network; or, if the My Cloud owner has enabled Dashboard Cloud Access (certain models*) or enabled additional port forwarding to such My Cloud devices. To mitigate this issue, we strongly recommend that My Cloud owners who have made such changes disable the Dashboard Cloud Access and ensure their router and My Cloud device are secure by disabling additional port-forwarding functionalities. All affected My Cloud owners should restrict local network guest access only to people they trust. We are working on a firmware update for this issue and will make it available on our support download site as soon as possible. As always, we encourage users to contact Western Digital customer support should they need help updating their device. If you wish to contact customer support directly, please visit this page. You may need to use the “Change country” link on that page to find the most appropriate phone number for your location.
I just wanted to update you all on this issue. We have released a new FW available today for manual download and installation. It will be available for pushed OTA FW update next week. Please see the post below.
Guys, I have 2 mycloud devices, they were just used to gain all my information through their vulnerabilities. I did not know of these… All of my devices on my network are infected now with malware and I cannot remove it with a combination of malware bytes and bit defender. Those programs did catch the initial infection but it’s still spreading and I don’t want to lose all of my data. Any suggestions?