GHOST vulnerability (CVE-2015-0235)

according to https://security-tracker.debian.org/tracker/CVE-2015-0235

Is the My Cloud affected, as it used debian wheezy?

Can we expect a fix this week? Should I take it offline?

NVD severity high (attack range: remote)

And what about the fixes in OpenSSL?

http://en.wikipedia.org/wiki/OpenSSL

Hello,

We have passed this along to support

1 Like

thank you very much!

any news about a fixed firmware? I am only talking about the security vulnerabilities.

a

yes, I contacted the support.

Hello,

Any information about firmware release and fixes will be published in the “News and Announcement” board.

News & Announcements

I wouldn’t hold your breath, they haven’t addressed vulnerabilities that are far older, such as POODLE. I don’t think they are too concerned with that kind of thing as it is more of a Harry Homeowner kind of product.

but it is their job to keep “the cloud of my own” secure! when the firmware is maintained like this, every other cloud storage service is safer :frowning:

they have to fix vulnerabilities as they appear, not in combination with bugfixes or new features.

and the communication guidelines havent changed since the heartbleed bug! It is not WDs fault, so they should be more transparent - the support is no real help, but they passed it on to the right department. As I said before, they should open a “security & best practices” page. and they should include the fixes in the readme.

did they fix the NTP bug? synology did that on 2014/24/17

updated openssl to 1.0.1k? synology: 2015/01/22

GHOST: synology 2015/02/04

POODLE: synology 2014/11/12

Heartbleed: synology: 2014/04/10  WD: 2014/04/16 for the ex4, 2014/04/21 for the my cloud.

Its a good product, but WD needs to change this.

Ugh, this is why I block My Cloud from the internet. :stuck_out_tongue:

So, this seems to be fixed in the Jessie repo.  Can we patch this ourselves like we did with Shellshock?

I took care of the SSLv3 vulnerability (I think that was Heart Bleed, not sure), by editing the server.xml file in the Apache folder. There are others that you probably can’t do anything about and will probably need a firmware upgrade.

I ended up disabling the web server and manage it via SSH if I have to. I don’t think the Ghost vulnerability is that big a deal from what I’ve read, seems like it’s more to do with smtp (email). I wouldn’t take my word for it though.  Regardless, I think you have to be more or less nuts to expose your NAS to the Internet.

Edit: Sorry, I mean edit ssl.conf, not server.xml.

https://www.linkedin.com/jobs2/view/26929614

At least WD are trying to do something about their situation. It doesn’t help us for the time being, but it does affer a ray of hope for the future.

how exactly can i block my cloud from internet?

  • disable cloud access

  • close the ports you opened on your router