Do not buy!


#29

Yes, again: Meltdown and Spectre have no direct relevance for WD devices. What’s so hard to understand at this fact?


#31

Every proof you need for this is available at https://meltdownattack.com/, the referenced paper https://meltdownattack.com/meltdown.pdf and the google blogpost https://googleprojectzero.blogspot.de/2018/01/reading-privileged-memory-with-side.html

Just read those references, understand the attack vectors and you get your proof.


#33

Well, as already explained some posts above (seems i need to repeat stuff here over and over again) you either need to have local access to the device and run code on it (e.g. via SSH) in user space or trick a user with a vulnerable system to visit a malicious web page with his browser.

So now its your turn to explain how those two vulnerabilities have any relevance to a headless WD device where you don’t run a browser and already have root access via SSH and can do whatever you like.


#35

There are much easier ways to do that.

The MyCloud, which is the subject of this subforum, is a consumer device, not really intended for corporate use.

This is not to try to excuse WD for their appalling responses to reported vulnerabilities, but to try to alleviate some of the paranoia. Check my nom-de-net…


#36

Well anyway the topic is WD is not doing a great job. They have to fix spectre and meltdown and they have to fix all other bugs. The real problem with this company is they are not fast in reacting to such problems.


#38

But corporate users won’t be reading this subforum; go post on the appropriate subforum.


#39

Exactly what i’m saying already multiple times here. The CPU (Meltdown / Spectre) vulnerabilities don’t have any relevance for the WD devices:

You need local access to be able to abuse those vulnerabilities and if you have that access (either via some sort of allowed access via SSH or by using another vulnerability) there is no point in abusing those as you already go everything you need.


#42

You already have agreed to that with your post i have quoted in Do not buy! ?


#44

You’re free to post where you like.

But the other subforum would be more relevant.

I’m out.


#46

This discussion seems to have degenerated off into several tangents covering a variety of separate issues.

Yes this support forum layout is not ideal due in part to how WD has named their products. It has been a common complaint for years that WD is causing confusion with their product and firmware naming structure. WD should have a general thread for general discussions covering all of the My Cloud devices but they do not appear to have one. Many people erroneously come into this subforum thinking its a general forum to discuss issues with multi bay My Cloud units when technically its not.

With respect to the Meltdown and Spectre vulnerability. If the My Cloud processor is affected then the Meltdown and Spectre vulnerability are an issue even if one needs direct access to the device to issue the commands to exploit that specific vulnerability. The My Cloud line uses a number of different processors. Don’t know if there is a specific listing of what processors are affected by Meltdown and Spectre other than general listings like this one listing Intel processors:

WD typically doesn’t comment on specific security issues in these subforums other than to say they are looking into it, or to contact them directly, or that they’ve issued a firmware update to address the issue. There are valid reasons to not do so from a business standpoint just as there are valid reasons to inform one’s customers to specific vulnerabilities and how to mitigate them.

Right now there is a lot of hype, speculation, and potential fear mongering (not necessarily by anyone here) being spread on the Meltdown and Spectre and the various specific vulnerabilities of the My Cloud firmware.

Are these vulnerabilities serious? Yes. Should we My Cloud users be concerned about them? Yes. Should WD fix them ASAP? Yes. Should we toss out our My Cloud’s or not buy them because of these vulnerabilities? That is open to debate and everyone has their own opinion. It is important to remember that for most if not all these vulnerabilities it will require direct access to the My Cloud on the local network or for the user to visit a website that has been compromised with the specific malicious code that is targeting the My Cloud devices.

While I’m not diminishing the seriousness of the vulnerabilities discussed above, The reality is that the chances of a My Cloud being affected by these vulnerabilities is probably very slim for most users. If users take some basic common sense precautions (some of which has been previously discussed), the chances are significantly lessened they’ll ever be affected by these specific vulnerabilities, while we await WD to push out firmware that plugs these vulnerabilities.


#47

You can just check the processors used for the myclouds and most of then are affected. I didnt check every single processor yet but i checked enought


#49

No pissing contest, just a HUGE misunderstanding. Just to clarify:

I already had agreed on this multiple times before you even had posted this.

But this is the major part and the base of the discussion here about Meltdown / Spectre and probably lead to the misunderstanding. We’re talking here about “My Cloud - Personal Cloud Storage” devices, and all the devices i got a hand on from this product line has ONE single user (which is root). This is a product line for end-users / consumers and not a enterprise grade one where multiple less privileged users are working on the device.

If the discussion about Meltdown / Spectre is extended to multi-user WD devices then those vulns have for sure a relevance for those additional devices.


#50

Yep and Fox_Exe posted a link to that discussion a few hours ago with the processors for the My Cloud Home.

G-Sheet table for better understand and more details

WD MyCloud (Gen1) ----- Mindspeed Comcerto C2200 (2x650MHz)
WD MyCloud (Gen2) ----- Marvell Armada 375 (2x1GHz)
WD MyCloud (?? / Japan) ----- Marvell Armada 375 (2x1GHz)
WD MyCloud EX1100 ----- Marvell Armada 375 (2x1GHz)
WD MyCloud Mirror (Gen1) ----- Marvell Armada 370
WD MyCloud Mirror (Gen2) ----- Marvell Armada 385 (2x1.33GHz)
WD MyCloud EX2 ----- Marvell Armada 370
WD MyCloud EX2 Ultra ----- Marvell Armada 385 (2x1.33GHz)
WD MyCloud EX4 ----- Marvell Armada A300 (1x2.0GHz)
WD MyCloud EX2100 ----- Marvell Armada 385 (2x1.33GHz)
WD MyCloud PR2100 ----- Intel Pentium N3710 Quad Core 1.6 GHz
WD MyCloud DL2100 ----- Intel Atom C2350 (2x1.7 GHz)
WD MyCloud DL2200
WD MyCloud DL4100 ----- Intel Atom C2338 (2x1.7 GHz)
WD MyCloud EX4100 ----- Marvell Armada 388 (2x1.6GHz)
WD MyCloud PR4100 ----- Intel Pentium N3710 Quad Core 1.6 GHz
WD MyCloud MX4200
WD MyCloud Home ----- Realtek RTD1295PBCG (4x1.4GHz)
WD MyCloud Home Duo ----- Realtek RTD1296PBCG (4x1.4GHz)


#51

Per a post in the Multiple serious vulnerabilitys including Backdoor etc. as disclosed by gulftech.org discussion.

Per that link:

UPDATE: In a blog post, Western Digital says all issues reported by GulfTech were fixed in firmware version 2.30.172, and not 2.30.174, as Bercegay claimed.

Per the WD blog link:

These had been disclosed by a security researcher directly with our team in 2017, and critical issues mentioned in these recent articles (gulftech.org; thehackernews.com) were addressed in 2017 with firmware update v2.30.172 and above. Minor issues are being addressed in future updates. Additionally, the My Cloud Home model architecturally is designed new from the ground up and we are not aware of any vulnerability to the security issues listed in the respective reports.


#53

While not for the My Cloud one can check their Windows PC to see if the computer’s processor is affected by Spectre or Meltdown vulnerabilities. As time goes on they’ll probably be additional tools to check if one’s system is affected.

Edit to add: Another CPU checker tool.


#54

#55

Per the link for those who don’t want to click on it:

One of those issues currently being addressed for a future update is that certain My Cloud models (only with firmware versions 2.xx but not My Cloud Home) with default settings could be exploited by a sophisticated hacker in the unlikely event such hacker has access to the owner’s local network; or, if the My Cloud owner has enabled Dashboard Cloud Access (certain models*) or enabled additional port forwarding to such My Cloud devices. To mitigate this issue, we strongly recommend that My Cloud owners who have made such changes disable the Dashboard Cloud Access and ensure their router and My Cloud device are secure by disabling additional port-forwarding functionalities. All affected My Cloud owners should restrict local network guest access only to people they trust. We are working on a firmware update for this issue and will make it available on our support download site as soon as possible. As always, we encourage users to contact Western Digital customer support should they need help updating their device. If you wish to contact customer support directly, please visit this page. You may need to use the “Change country” link on that page to find the most appropriate phone number for your location.


#56

Techarp.com has a link with a listing of processors that are potentially vulnerable to Spectre / Meltdown.


#57

Just a bunch of children here… go buy something else if you want. WE DON’T CARE.


#58

I just wanted to update you all on this issue. We have released a new FW available today for manual download and installation. It will be available for pushed OTA FW update next week. Please see the post below.