Endgadet warns about security problem

When can we expect a firmware update from WD to resolve these serious security issues?

Disabling remote access won’t block all attacks if the attacker just uses your browser to proxy the attacks from the internet to your intranet. This can be done using a by-design browser feature and works with any and all browsers. I’d just turn off the drive until a fix is ready.

please everyone here tweet to WD @wdcreators about this and tell them to release a fix soon…i already did.

edit-- send them a support email too with link to the artcle

WD is awful at fixing security issues, I mean they use software on the device which is either extremely old or even worse no longer maintained, the OpenSSL version WD uses for my MyCloud device is out of maintenance since the end of 2016.

And the 2nd gen MyCloud is so locked that as a user the only course of action would be to rip the drive out of the device and get something different.

Maybe it going to take an issue like the one that happened to Asus for WD to take their device’s, and more so, their customer’s security seriously. We’ll see what happens. I have seen on the web where some people, or groups, are getting together about the WD MyCloud long standing issues.

you guys are right WD is not serious about this even after tweets and even DM to them i got no reply at all. :frowning:

Leave a honest review on Amazon. I don’t think WD cares 2 cents about your photos and documents leaking if it doesn’t hurt their bottom line.

Western Digital is aware of recent reporting of vulnerabilities in its My Cloud family of products, including related to vulnerabilities previously reported by Steven Campbell (https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/) that were addressed with the firmware update made available on December 20, 2016 (Software and Firmware Downloads | WD Support). We are reviewing the recent exploitee.rs report and based on a preliminary evaluation, a change to address one exploitee.rs reported issue has already been made in the December update. Additionally, if we determine the report has identified any new issues, we will address those soon based on the severity of the issues, the existence, if any, of ongoing attacks, and the potential customer disruption of an unscheduled update. We recommend My Cloud users contact our Customer Service team at https://support.wdc.com/support/case.aspx if they have further questions; find firmware updates at Software and Firmware Downloads | WD Support; and ensure their My Cloud devices are set to enable automatic firmware updates.

Western Digital appreciates and encourages disclosure of potential vulnerabilities uncovered by security researchers such as Steven Campbell under the responsible disclosure model practiced by the security community. This balanced model acknowledges the contributions of security researchers, allows Western Digital to properly investigate and resolve concerns, and most importantly protects our customers from disclosure of exploits before a patch is available. As evidenced by our work with various researchers such as Steven Campbell, Versprite and others, we work closely with the security community to address issues and safely meet our customers’ needs. If exploitee.rs had followed this model as other security researchers have and contacted us with that spirit in mind prior to publishing their report, they would have known of our current work and progress toward a resolution in this case.

[Edit 3/14/17]

In addition to the login bypass issue we addressed earlier and which was reported by both Steven Campbell and exploitee.rs, we have architected a solution to the new login bypass identified by exploitee.rs. We are currently internally testing this solution and anticipate it will be released soon. That release also will contain scheduled fixes, including for the unauthenticated command injection issues previously and responsibly identified by security researchers SEC Consult and Securify and recently disclosed by exploitee.rs.

Bill, I want to believe your statement. But we both know it’s not true. Why haven’t you fixed the security issues I responsibly disclosed 2 years ago?

At least from the outside WD only appears to take action when it either 1) hurts their bottom line or 2) there is a huge PR nightmare.

Please start by fixing security issues that has been outstanding for 2 years… then we can talk.

2 Likes

Probably a good idea to setup some outbound firewall rules just to be sure.

I wish I could believe that but my MyCloud uses an OpenSSL version which is out of date, Samba, Linux, OpenSSH, and many more packages are also out of date. Currently I see for myself only two options:

  • I remove the hard drive from my MyCloud and get a new NAS
  • I replace the OS on my MyCloud

Both option will cost me the warranty but well, nothing is perfect …

Yup; we all know that’s not true. It looks like WD have no genuine interest in sorting security loopholes, or bringing packages up to date, or even ensuring they’re actually using full release versions, rather than release candidates.

How will this affect the average end user? Would a '‘hacker’ need to know you have a MyCloud before they could target you?

No. There are various tools to find devices online. And find vulnerable devices…

That is the $64,000 question. A lot depends on how the “average user” is using their My Cloud. If they have enabled remote access then the potential is much greater. If they have remote access turn off it lowers, but does not eliminate, the chances of being hacked.

Port scanner is one way, as previous poster’s indicated. In order for the My Cloud to communicate with remote clients it typically has to open a port to do that communication, while the port(s) are open there is potential for two way communication between the My Cloud and the internet.

As explained either in this thread or others, even closing those ports if using router port forwarding and disabling Remote Access through the My Cloud Dashboard there still exists the potential for a remote hacker to gain access through the use of scripting to attack a web browser on a computer/device on the local network that also has access to the My Cloud. This second attack vector is much less likely to occur depending on how one surf’s the internet but the possibility still exists if the vulnerability remains unpached in the My Cloud firmware.

Disabling remote access and using FTP is also not necessarily a wise idea from a security standpoint since FTP traffic is generally unencrypted and the initial handshake between the remote FTP client and the My Cloud FTP server can expose the User login name and their password since that information is sent unencrypted when using FTP.

There are potential ways to limit these potential security threads but they most likely involve using SSH to disable certain features/services running on the My Cloud. Of course disabling remote access negates perhaps the biggest selling point of the My Cloud.

Down side is not all routers (like the ones used by some broadband providers) will have parental control type features or have custom rules/filters that allow for blocking incoming traffic.

Edit to add: Also using filters to block traffic to the My Cloud may potentially affect other things on the My Cloud like NTP or automatic firmware upgrade.

As do I which is why I too have automatic firmware updates disabled in the Dashboard.

However, WD is telling people (see here, and here for example) to have automatic firmware updates enabled. As such if the average Joe uses filtering to block access to the My Cloud to try and protect themselves from some of these security vulnerabilities they’ll loose the auto firmware update to the firmware and have to do it manually which means they’d have to know the firmware has been updated in order to manually update. Unless they are aware of these issues and of a firmware update they won’t know to update their firmware if (ever) a fix is provided by WD.

We always announce on our News and Announcements forum when we release a new firmware. You can click on the Tracking button at the right above the topic list, and change it to Watching. Then you’ll get notified whenever we release a firmware.

Currently we expected such a release yesterday. It’s not like the current firmware was up to date when it was released in December.

Hopefully we’ll see the new firmware in the next day or two as they’ve started rolling out new firmware for other units.

New Release - My Cloud EX4 Firmware Version 2.11.163 (3/20/2017)
New Release - My Cloud EX2 Firmware Version 2.11.163 (3/20/2017)
New Release - My Cloud Mirror Firmware Release 2.11.163 (3/20/2017)