Firmware update planned to fix CVE-2019-18929, CVE-2019-18930 and CVE-2019-18931 for EX2 Ultra?

tempaccount · February 1, 2020, 3:49pm

November last year three vulnerabilities with the CVEs CVE-2019-18929, CVE-2019-18930 and CVE-2019-18931 with a severity of HIGH and a CVSS score ranging between 8.8 and 9.0 have been published in public for the EX2 Ultra firmware versions 2.31.183 and 2.31.195:

CVE/CVE-2019-18929 at master · DelspoN/CVE · GitHub
CVE/CVE-2019-18930 at master · DelspoN/CVE · GitHub
CVE/CVE-2019-18931 at master · DelspoN/CVE · GitHub

As there is no mention of a fix for these CVEs in the recent New Release - My Cloud Firmware Version 2.31.204 (12/16/2019) i would like to ask for any plans to fix these in one of the next firmware versions?

Netranger · March 1, 2020, 12:19am

Hi,

I would like to know that too.

It has been 4 months since publication of those vulnerabilities.

SBrown · March 11, 2020, 6:16pm

Thank you for reporting your findings. WD takes the safe and secure use of our products seriously.

Please note that we have a Product Security Support Process which is the best way to ensure we are aware of a potential security issue. We have forwarded this message to the PSIRT for review.

WD Staff

tempaccount · March 14, 2020, 12:59pm

@SBrown

Thank you very much for this reply.

It seems the description.txt available in the linked github repositories of the Researcher contains the following text so your PSIRT might be already aware / informed about this:

[Has vendor confirmed or acknowledged the vulnerability?]

true

brannonb · March 20, 2020, 10:52am

Vendor Confirmed, Local/Root PoC for NFS .

MarioDelMonaco · August 11, 2020, 8:11pm

MarioDelMonaco · August 11, 2020, 8:13pm

(Too) many months later. Still no update to resolve these high risk vulnerabilities?

SBrown · August 11, 2020, 9:08pm

WD Community,

The CVE mentioned in this thread are addressed in My Cloud firmware 2.40.155 released to the public on 07/27

MarioDelMonaco · August 12, 2020, 9:06pm

Thank you! Both My Cloud ex2 ultra systems say that they cannot connect to update service (it worked flawless in the past, and I introduced no significant changes in my network devices or settings). And I could not find this new version with Google.
Kind regards, Maurice.

Myron · December 9, 2020, 10:46pm

My DL NAS has, today, collected the security update from WD’s firmware servers and is set to install the update while I sleep.

I guess it’s a good thing I keep the option to disallow Dashboard access from any IP address.
Still, I also do wonder why it has taken so long.