Firmware Update for a Security Vulnerability regarding samba service (CVE-2017-7494)?

Legacy Products My Book Live
1

Hi Folks,

Will WD be providing a Firmware Update to protect against Security vulnerability regarding samba service (CVE-2017-7494).

The Current Firmware Version 02.43.10 - 048 (6/22/2015) to Resolved issue of POODLE (CVE-2014-3566) SSLv3 security vulnerability

Best Regards,

Crysta

2

Hello,

As a moderator I do not have access to this information. Please contact WD Support:

3

Are we allowed to contact support simply to ask a question like this? If not, do the moderators of this forum have the ability to pass our concern to the WD support team?

I bet every NAS customer who has heard of this vulnerability has the same concern. I know I have not been attacked via to this (possible) vulnerability and I assume Crysta hasn’t either or the question would have been a lot more heated. So we’re waiting for our NAS drives to be compromised.

I have no idea if MyBookLive or either generation of MyCloud actually has this vulnerability. I seriously doubt WD is going to say “Our firmware is vulnerable and we don’t know when it will be fixed”, but it would be reassuring to hear “It’s not vulnerable” or “Here’s the fix”. By hearing nothing we can (and probably should) assume the worst.

4

Yes.

5

Interesting!!! I have 3 Synology NAS all with Black and 2 Red HHD in them and they are already PATCHED…

I have yet to go to their forums or contact there Service Support for any problems or Vulnerability since they are always way ahead of the curve on these things.

I love WD’s Drives, Red, Black and Blue but I will never get another WD NAS, sad to say. I am quite protected in my environment so not to worried. I will wait and see how long it takes for WD Eng. to respond to there own forum, they have in the past. However if somebody else wants to jump through the support hoops of WD, all the power to them…

Best Regards,

Crysta

6

Any reason to assume anybody will respond to a question sent to their security reporting email server?

Also, the web site says we have to use a security key (which is provided) but does not give any indication of how to use the key. I posted my question without using the key assuming I would get some kind of bounce message if it was not accepted. I got no indication that my email failed. Is there any way to find out?