GHOST vulnerability (CVE-2015-0235)

d_fens · February 4, 2015, 9:19am

according to https://security-tracker.debian.org/tracker/CVE-2015-0235

Is the My Cloud affected, as it used debian wheezy?

Can we expect a fix this week? Should I take it offline?

NVD severity

high (attack range: remote)

And what about the fixes in OpenSSL?

http://en.wikipedia.org/wiki/OpenSSL

Hamlet · February 4, 2015, 3:48pm

Hello,

We have passed this along to support

d_fens · February 4, 2015, 6:13pm

thank you very much!

d_fens · February 13, 2015, 10:54am

any news about a fixed firmware? I am only talking about the security vulnerabilities.

a

yes, I contacted the support.

Hamlet · February 13, 2015, 4:44pm

Hello,

Any information about firmware release and fixes will be published in the “News and Announcement” board.

News & Announcements

Goons · February 14, 2015, 12:46am

I wouldn’t hold your breath, they haven’t addressed vulnerabilities that are far older, such as POODLE. I don’t think they are too concerned with that kind of thing as it is more of a Harry Homeowner kind of product.

d_fens · February 14, 2015, 12:13pm

but it is their job to keep “the cloud of my own” secure! when the firmware is maintained like this, every other cloud storage service is safer

they have to fix vulnerabilities as they appear, not in combination with bugfixes or new features.

and the communication guidelines havent changed since the heartbleed bug! It is not WDs fault, so they should be more transparent - the support is no real help, but they passed it on to the right department. As I said before, they should open a “security & best practices” page. and they should include the fixes in the readme.

did they fix the NTP bug? synology did that on 2014/24/17

updated openssl to 1.0.1k? synology: 2015/01/22

GHOST: synology 2015/02/04

POODLE: synology 2014/11/12

Heartbleed: synology: 2014/04/10 WD: 2014/04/16 for the ex4, 2014/04/21 for the my cloud.

Its a good product, but WD needs to change this.

JAC70 · February 15, 2015, 2:58am

Ugh, this is why I block My Cloud from the internet.

So, this seems to be fixed in the Jessie repo. Can we patch this ourselves like we did with Shellshock?

Goons · February 15, 2015, 4:23am

I took care of the SSLv3 vulnerability (I think that was Heart Bleed, not sure), by editing the server.xml file in the Apache folder. There are others that you probably can’t do anything about and will probably need a firmware upgrade.

I ended up disabling the web server and manage it via SSH if I have to. I don’t think the Ghost vulnerability is that big a deal from what I’ve read, seems like it’s more to do with smtp (email). I wouldn’t take my word for it though. Regardless, I think you have to be more or less nuts to expose your NAS to the Internet.

Edit: Sorry, I mean edit ssl.conf, not server.xml.

d_fens · February 15, 2015, 9:46am

https://www.linkedin.com/jobs2/view/26929614

SectorGZ · February 15, 2015, 9:53am

At least WD are trying to do something about their situation. It doesn’t help us for the time being, but it does affer a ray of hope for the future.

escapegoat · February 16, 2015, 4:45am

how exactly can i block my cloud from internet?

d_fens · February 16, 2015, 7:55am

disable cloud access
close the ports you opened on your router