Endgadet warns about security problem

WD is awful at fixing security issues, I mean they use software on the device which is either extremely old or even worse no longer maintained, the OpenSSL version WD uses for my MyCloud device is out of maintenance since the end of 2016.

And the 2nd gen MyCloud is so locked that as a user the only course of action would be to rip the drive out of the device and get something different.

Maybe it going to take an issue like the one that happened to Asus for WD to take their device’s, and more so, their customer’s security seriously. We’ll see what happens. I have seen on the web where some people, or groups, are getting together about the WD MyCloud long standing issues.

you guys are right WD is not serious about this even after tweets and even DM to them i got no reply at all. :frowning:

Leave a honest review on Amazon. I don’t think WD cares 2 cents about your photos and documents leaking if it doesn’t hurt their bottom line.

Western Digital is aware of recent reporting of vulnerabilities in its My Cloud family of products, including related to vulnerabilities previously reported by Steven Campbell (https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/) that were addressed with the firmware update made available on December 20, 2016 (https://support.wdc.com/downloads.aspx?lang=en#firmware). We are reviewing the recent exploitee.rs report and based on a preliminary evaluation, a change to address one exploitee.rs reported issue has already been made in the December update. Additionally, if we determine the report has identified any new issues, we will address those soon based on the severity of the issues, the existence, if any, of ongoing attacks, and the potential customer disruption of an unscheduled update. We recommend My Cloud users contact our Customer Service team at https://support.wdc.com/support/case.aspx if they have further questions; find firmware updates at https://support.wdc.com/downloads.aspx?lang=en#firmware; and ensure their My Cloud devices are set to enable automatic firmware updates.

Western Digital appreciates and encourages disclosure of potential vulnerabilities uncovered by security researchers such as Steven Campbell under the responsible disclosure model practiced by the security community. This balanced model acknowledges the contributions of security researchers, allows Western Digital to properly investigate and resolve concerns, and most importantly protects our customers from disclosure of exploits before a patch is available. As evidenced by our work with various researchers such as Steven Campbell, Versprite and others, we work closely with the security community to address issues and safely meet our customers’ needs. If exploitee.rs had followed this model as other security researchers have and contacted us with that spirit in mind prior to publishing their report, they would have known of our current work and progress toward a resolution in this case.

[Edit 3/14/17]

In addition to the login bypass issue we addressed earlier and which was reported by both Steven Campbell and exploitee.rs, we have architected a solution to the new login bypass identified by exploitee.rs. We are currently internally testing this solution and anticipate it will be released soon. That release also will contain scheduled fixes, including for the unauthenticated command injection issues previously and responsibly identified by security researchers SEC Consult and Securify and recently disclosed by exploitee.rs.

Bill, I want to believe your statement. But we both know it’s not true. Why haven’t you fixed the security issues I responsibly disclosed 2 years ago?

At least from the outside WD only appears to take action when it either 1) hurts their bottom line or 2) there is a huge PR nightmare.

Please start by fixing security issues that has been outstanding for 2 years… then we can talk.

2 Likes

Probably a good idea to setup some outbound firewall rules just to be sure.

I wish I could believe that but my MyCloud uses an OpenSSL version which is out of date, Samba, Linux, OpenSSH, and many more packages are also out of date. Currently I see for myself only two options:

  • I remove the hard drive from my MyCloud and get a new NAS
  • I replace the OS on my MyCloud

Both option will cost me the warranty but well, nothing is perfect …

Yup; we all know that’s not true. It looks like WD have no genuine interest in sorting security loopholes, or bringing packages up to date, or even ensuring they’re actually using full release versions, rather than release candidates.

How will this affect the average end user? Would a '‘hacker’ need to know you have a MyCloud before they could target you?

No. There are various tools to find devices online. And find vulnerable devices…

That is the $64,000 question. A lot depends on how the “average user” is using their My Cloud. If they have enabled remote access then the potential is much greater. If they have remote access turn off it lowers, but does not eliminate, the chances of being hacked.

Port scanner is one way, as previous poster’s indicated. In order for the My Cloud to communicate with remote clients it typically has to open a port to do that communication, while the port(s) are open there is potential for two way communication between the My Cloud and the internet.

As explained either in this thread or others, even closing those ports if using router port forwarding and disabling Remote Access through the My Cloud Dashboard there still exists the potential for a remote hacker to gain access through the use of scripting to attack a web browser on a computer/device on the local network that also has access to the My Cloud. This second attack vector is much less likely to occur depending on how one surf’s the internet but the possibility still exists if the vulnerability remains unpached in the My Cloud firmware.

Disabling remote access and using FTP is also not necessarily a wise idea from a security standpoint since FTP traffic is generally unencrypted and the initial handshake between the remote FTP client and the My Cloud FTP server can expose the User login name and their password since that information is sent unencrypted when using FTP.

There are potential ways to limit these potential security threads but they most likely involve using SSH to disable certain features/services running on the My Cloud. Of course disabling remote access negates perhaps the biggest selling point of the My Cloud.

These are the settings I use to disable direct internet access to/from my WD PR4100 NAS. Other models should be very similar. As an extra precaution, I also assign it a static IP address and block it at my router. To block it at the router, the easiest way is to use parental controls, but some routers also allow you to use custom rules and filters.

As mentioned previously, this does not eliminate all risk. However, if one is careful about where they browse using attached devices, it should greatly minimize the chances of getting hacked. Using ad and script blockers in your browser of choice (Firefox is mine) should further minimize the risk.

Cloud Access (Settings / General Tab):
Cloud Service: OFF
Connection Status: Disabled
Dashboard Cloud Access: OFF

Network Services (Settings / Network Tab):
IPv4 Network Mode: STATIC
IPv6 Network Mode: STATIC or OFF
FTP Access: OFF
SSH: OFF

Network Profile (Settings / Network Tab):
Status: No Internet access (Will appear after everything is done)
IPv4 DNS Server: BLANK
IPv6 DNS Server: BLANK
Gateway IP Address: BLANK
DNS Server1: BLANK
DNS Server2: BLANK
DNS Server3: BLANK

Granted, this will disable all Cloud access, but considering the current severe security vulnerabilities which remain un-patched, these precautions are a wise move. Personally, I have no interest in cloud-anything, so these settings are permanent on my network. I bought this NAS because I like the hardware, and hope to eventually customize the firmware to my liking, perhaps even permanently neutering the cloud aspects of it’s functionality in the process.

Down side is not all routers (like the ones used by some broadband providers) will have parental control type features or have custom rules/filters that allow for blocking incoming traffic.

Edit to add: Also using filters to block traffic to the My Cloud may potentially affect other things on the My Cloud like NTP or automatic firmware upgrade.

Yes, filters would prevent automatic firmware updates, but given the track record of firmware updates causing problems, I prefer to only do manual firmware updates, This allows time to see if any problems arise after an update.

The NTP or Network Time Protocol also has vulnerabilities that appear from time to time so it’s always a good idea to keep this in mind. If the time on the NAS needs to be syncronized, it’s easy to add an exception for UDP port 123. In my case, I temporarily allow a connection if the time needs to be synchronized, which is rare.

As do I which is why I too have automatic firmware updates disabled in the Dashboard.

However, WD is telling people (see here, and here for example) to have automatic firmware updates enabled. As such if the average Joe uses filtering to block access to the My Cloud to try and protect themselves from some of these security vulnerabilities they’ll loose the auto firmware update to the firmware and have to do it manually which means they’d have to know the firmware has been updated in order to manually update. Unless they are aware of these issues and of a firmware update they won’t know to update their firmware if (ever) a fix is provided by WD.

I saw that they advised automatic firmware updates, which I have always found to be a very bad thing to enable. However, you make a very good point.

We always announce on our News and Announcements forum when we release a new firmware. You can click on the Tracking button at the right above the topic list, and change it to Watching. Then you’ll get notified whenever we release a firmware.

Currently we expected such a release yesterday. It’s not like the current firmware was up to date when it was released in December.

Hopefully we’ll see the new firmware in the next day or two as they’ve started rolling out new firmware for other units.

New Release - My Cloud EX4 Firmware Version 2.11.163 (3/20/2017)
New Release - My Cloud EX2 Firmware Version 2.11.163 (3/20/2017)
New Release - My Cloud Mirror Firmware Release 2.11.163 (3/20/2017)