I have a first generation single bay WD My Cloud. Serial number is in WDBCTLxxxxHWT-00 range.
Currently WD My Book Live owners are the unfortunate targets of a remote attack that wipes the entire drive.
Is there a chance that old My Cloud devices are sharing this same vulnerability? The device already is EOL as I understand it and the latest firmware update I can find is from 2019. If ever present at all, was this exploit fixed in that latest update?
It appears CVE-2018-18472 currently affects just the Western Digital WD My Book Live and WD My Book Live Duo (all versions) devices for now. No official word yet if it extends to other WD products like the My Cloud line. A post over on Wizcase hints that “some models of WD MyCloud NAS contain a remotely exploitable vulnerability that lets anyone run commands on the device as root.” But does not specify the exact My Cloud models affected.
Currently there is no mention of CVE-2018-18472 being patched in any of the OS3, OS2 or OS5 firmware updates for the single bay/single drive My Cloud’s.
My Cloud OS3 v4.x Release Notes: https://support.wdc.com/download/notes/WD_My_Cloud_Firmware_Release_Notes_04.05.00-342.pdf?v=409
My Cloud OS 3 v2.x Release Notes: https://support.wdc.com/download/notes/WD_My_Cloud_Release_Notes_FW_2.41.116.pdf
My Cloud OS 5 Release Notes: https://os5releasenotes.mycloud.com/
With the first gen v4.x single bay My Cloud being End of Updates, chances are probably low that they’ll patch that firmware if it is actually affected by this particular CVE. If the v4.x firmware is affected then probably the workaround is to prevent remote access/cloud access to the device.
WD’s Product Security Website: https://www.westerndigital.com/support/productsecurity
Recommended Security Measures for WD My Book Live and WD My Book Live Duo
So for now it’s not confirmed to be unsafe yet, but I can’t also be sure it is safe because of what Wizcase mentions. Oh well, better play it safe myself then. In the WD device settings I’ve disabled everything that mentions Remote or Cloud. In router settings I’ve blocked incoming traffic to the WD by both its IP and Mac address. I’ve also used Parental Controls to block WD outgoing traffic and I’ve disabled UPnP. That’s pretty much all I can think of, I hope it’s enough.
Bit more on this. From the Recommended Security Measures for WD My Book Live and WD My Book Live Duo posting by WD:
We have heard customer concerns that the current My Cloud OS 5 and My Cloud Home series of devices may be affected. These devices use a newer security architecture and are not affected by the vulnerabilities used in this attack. We recommend that eligible My Cloud OS 3 users upgrade to OS 5 to continue to receive security updates for your device.
And from an earlier WD posting, Recommended Upgrade to My Cloud OS 5 they state the following with respect to security updates on OS3 firmware.
We will not provide any further security updates to the My Cloud OS3 firmware. We strongly encourage moving to the My Cloud OS5 firmware. If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5. More information can be found here: WD My Cloud OS 5 Mobile App and Desktop Web Access | Western Digital
First gen single bay My Cloud users are basically out of luck since they cannot update their units to OS5 firmware. This leaves first gen users several options IF the v4.x firmware is affected by CVE-2018-1842 or similar CVE’s that can allow root access to the firmware/device. At the very least, block broadband access to the first gen My Cloud, this includes disabling Cloud Access and FTP access. Of course this cripples a core “feature” of the device, remote access/cloud access. Load a different OS to the first gen My Cloud, one which either isn’t affected by this or other similar CVE’s or which is continuing to have it’s OS code updated.
Clean OS (Debian), OpenMediaVault and other “firmwares”
https://community.wd.com/t/clean-os-debian-openmediavault-and-other-firmwares/93714
If after blocking broadband access to one’s My Cloud they still need remote access to the unit, one option for users is to use VPN to access their local network and the My Cloud on that network. There are a number of free and paid VPN servers one can setup on their local network to gain secure remote access to their My Cloud.
[Western Digital ne corrigera pas la vulnérabilité des anciens périphériques de stockage My Cloud OS3 (cablechronicles.com) https://www.cablechronicles.com/western-digital-ne-corrigera-pas-la-vulnerabilite-des-anciens-peripheriques-de-stockage-my-cloud-os3/
Couple of additional threads made earlier today in response to the following Krebsonsecurity.com article.
Another 0-Day Looms for Many Western Digital Users
https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users/