Endgadet warns about security problem

Can we expect new pach soon?

1 Like

Holy COW!!!

80+ loopholes?

I do not let either MyCloud have internet access since version 3 firmware issues of security (I have Gen 1’s).

I articles states the truth about WD’s scripting within the firmware. WD is not fast, if at all, at fixing it’s own firmware issues and definitely not with security. Since this was just published, and the article states it has warned WD of the issues before publishing, I would hope it would put pressure on WD to fix it all. I really don’t think that WD spends the time and effort to truly test their firmware. In my opinion whether this is a Corporate decision, lack of experienced coders, or the combination, WD has not really owned the issues of the MyCloud branch of NASes.

This is primarily a user to user support forum. Most of us here do not know if we’ll ever see a firmware update to fix some or many of the issues, including security issues, that have been discussed in past threads here. You can contact WD Support directly (https://support.wdc.com/contact_phone.aspx) and enquirer to get an official answer from WD. Best you’ll get here from the few staff who monitor this user to user site is; “we’re looking into it”.

Like SectorGZ indicated if you are worried about the potential security issues with the My Cloud then do not enable remote access to the unit. That should cut down on some of the potential security vulnerabilities from outside the local network. Obviously that cripples one key feature of the My Cloud however.

I don’t expect anything, I just wanted others to be aware of the issue.

I can confirm that WD still does not take this too seriously :frowning:

The Engadet article points to Exploitee.rs who found/reported the exploits:
https://blog.exploitee.rs/2017/hacking_wd_mycloud/

Bugs Found Statistics

1 x Login Bypass
1 x Arbitrary File Write
13 x Unauthenticated Remote Command Execution Bugs
70 x Authentication Required Command Execution Bugs*

*”Authentication Required” bugs can be reached with the login bypass bug.

Scope

Most, if not all, of the research can be applied to the entire series of Western Digital MyCloud products. This includes the following devices:

My Cloud
My Cloud Gen 2
My Cloud Mirror
My Cloud PR2100
My Cloud PR4100
My Cloud EX2 Ultra
My Cloud EX2
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud DL2100
My Cloud DL4100

More Info

For the complete listing and a small write-up on each of the bugs found during our Western Digital MyCloud research, visit the Exploitee.rs Wiki.

For updates on Western Digital’s response or alerts when new content is added to our wiki or blog follow us on twitter @Exploiteers

When can we expect a firmware update from WD to resolve these serious security issues?

Disabling remote access won’t block all attacks if the attacker just uses your browser to proxy the attacks from the internet to your intranet. This can be done using a by-design browser feature and works with any and all browsers. I’d just turn off the drive until a fix is ready.

please everyone here tweet to WD @wdcreators about this and tell them to release a fix soon
i already did.

edit-- send them a support email too with link to the artcle

WD is awful at fixing security issues, I mean they use software on the device which is either extremely old or even worse no longer maintained, the OpenSSL version WD uses for my MyCloud device is out of maintenance since the end of 2016.

And the 2nd gen MyCloud is so locked that as a user the only course of action would be to rip the drive out of the device and get something different.

Maybe it going to take an issue like the one that happened to Asus for WD to take their device’s, and more so, their customer’s security seriously. We’ll see what happens. I have seen on the web where some people, or groups, are getting together about the WD MyCloud long standing issues.

you guys are right WD is not serious about this even after tweets and even DM to them i got no reply at all. :frowning:

Leave a honest review on Amazon. I don’t think WD cares 2 cents about your photos and documents leaking if it doesn’t hurt their bottom line.

Western Digital is aware of recent reporting of vulnerabilities in its My Cloud family of products, including related to vulnerabilities previously reported by Steven Campbell (https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/) that were addressed with the firmware update made available on December 20, 2016 (Software and Firmware Downloads | WD Support). We are reviewing the recent exploitee.rs report and based on a preliminary evaluation, a change to address one exploitee.rs reported issue has already been made in the December update. Additionally, if we determine the report has identified any new issues, we will address those soon based on the severity of the issues, the existence, if any, of ongoing attacks, and the potential customer disruption of an unscheduled update. We recommend My Cloud users contact our Customer Service team at https://support.wdc.com/support/case.aspx if they have further questions; find firmware updates at Software and Firmware Downloads | WD Support; and ensure their My Cloud devices are set to enable automatic firmware updates.

Western Digital appreciates and encourages disclosure of potential vulnerabilities uncovered by security researchers such as Steven Campbell under the responsible disclosure model practiced by the security community. This balanced model acknowledges the contributions of security researchers, allows Western Digital to properly investigate and resolve concerns, and most importantly protects our customers from disclosure of exploits before a patch is available. As evidenced by our work with various researchers such as Steven Campbell, Versprite and others, we work closely with the security community to address issues and safely meet our customers’ needs. If exploitee.rs had followed this model as other security researchers have and contacted us with that spirit in mind prior to publishing their report, they would have known of our current work and progress toward a resolution in this case.

[Edit 3/14/17]

In addition to the login bypass issue we addressed earlier and which was reported by both Steven Campbell and exploitee.rs, we have architected a solution to the new login bypass identified by exploitee.rs. We are currently internally testing this solution and anticipate it will be released soon. That release also will contain scheduled fixes, including for the unauthenticated command injection issues previously and responsibly identified by security researchers SEC Consult and Securify and recently disclosed by exploitee.rs.

Bill, I want to believe your statement. But we both know it’s not true. Why haven’t you fixed the security issues I responsibly disclosed 2 years ago?

At least from the outside WD only appears to take action when it either 1) hurts their bottom line or 2) there is a huge PR nightmare.

Please start by fixing security issues that has been outstanding for 2 years
 then we can talk.

2 Likes

Probably a good idea to setup some outbound firewall rules just to be sure.

I wish I could believe that but my MyCloud uses an OpenSSL version which is out of date, Samba, Linux, OpenSSH, and many more packages are also out of date. Currently I see for myself only two options:

  • I remove the hard drive from my MyCloud and get a new NAS
  • I replace the OS on my MyCloud

Both option will cost me the warranty but well, nothing is perfect 


Yup; we all know that’s not true. It looks like WD have no genuine interest in sorting security loopholes, or bringing packages up to date, or even ensuring they’re actually using full release versions, rather than release candidates.

How will this affect the average end user? Would a '‘hacker’ need to know you have a MyCloud before they could target you?

No. There are various tools to find devices online. And find vulnerable devices