Firmware update planned to fix CVE-2019-18929, CVE-2019-18930 and CVE-2019-18931 for EX2 Ultra?

November last year three vulnerabilities with the CVEs CVE-2019-18929, CVE-2019-18930 and CVE-2019-18931 with a severity of HIGH and a CVSS score ranging between 8.8 and 9.0 have been published in public for the EX2 Ultra firmware versions 2.31.183 and 2.31.195:

https://github.com/DelspoN/CVE/tree/master/CVE-2019-18929
https://github.com/DelspoN/CVE/tree/master/CVE-2019-18930
https://github.com/DelspoN/CVE/tree/master/CVE-2019-18931

As there is no mention of a fix for these CVEs in the recent New Release - My Cloud Firmware Version 2.31.204 (12/16/2019) i would like to ask for any plans to fix these in one of the next firmware versions?

Hi,

I would like to know that too.

It has been 4 months since publication of those vulnerabilities.

1 Like

Thank you for reporting your findings. WD takes the safe and secure use of our products seriously.

Please note that we have a Product Security Support Process which is the best way to ensure we are aware of a potential security issue. We have forwarded this message to the PSIRT for review.

WD Staff

1 Like

@SBrown

Thank you very much for this reply.

It seems the description.txt available in the linked github repositories of the Researcher contains the following text so your PSIRT might be already aware / informed about this:

[Has vendor confirmed or acknowledged the vulnerability?]

true

Vendor Confirmed, Local/Root PoC for NFS .

1 Like

(Too) many months later. Still no update to resolve these high risk vulnerabilities?

1 Like

WD Community,

The CVE mentioned in this thread are addressed in My Cloud firmware 2.40.155 released to the public on 07/27

https://www.westerndigital.com/support/productsecurity/wdc-20006-my-cloud-firmware-version-2-40-155

1 Like

Thank you! Both My Cloud ex2 ultra systems say that they cannot connect to update service (it worked flawless in the past, and I introduced no significant changes in my network devices or settings). And I could not find this new version with Google.
Kind regards, Maurice.