Hacking into a fully patched MyCloud EX4

Hi all,

I’m using the latest firmware (2.11.169) on a WD EX4. I read about the hard coded password/backdoor in the past (https://www.theregister.co.uk/2018/01/08/wd_mycloud_nas_backdoor/ 1) and wanted to confirm the problem is fixed.

I ran OpenVAS on my LAN and it was able to get root access on my NAS. The vulnerabilities here https://www.exploitee.rs/index.php/Western_Digital_MyCloud have not been fixed.

The version of libupnp WD uses is 1.6.6 and contains multiple buffer overflow vulnerabilites (CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965) and needs to be updated to version 1.6.18.

Additionally, the Twonky server web console has no protection on MyCloud. You can see this by visiting http://your_nas_ip:9000/.

I know this is cheap quality consumer grade hardware but these vulnerabilities are unacceptable and undermines any of the security features advertised.

Is there an ETA for each of these items to be fixed? OpenVAS came back with other vulnerabilities but the ones listed above will lead to remote compromise and that’s what I can’t accept.

In the meantime, while we’re vulnerable I’d like to setup additional logging and monitoring. Does MyCloud support logging web access and general syslog to a remote syslog server? Thanks.

2 Likes

The libupnp thingy was reported few years ago for the WD MyCloud Mirror Gen1 here:

Even the recent firmware version 2.11.169 of the MyCloud Mirror is still vulnerable so i wouldn’t put much hope into getting a fix for this.

There is another recent flaw in Twonky where the My Cloud EX4 might be affected as well:

Based on that evidence I’m not going to hold my breath waiting for patched firmware.

For anyone reading this thread that may not fully understand what we’re talking about, allow me to rephrase the issue.

There are serious security problems on WD’s MyCloud product line. The nature of the problems show security was not given sufficient attention during the design of the software.

The data on your WD should not be considered private. Anyone on your home/office network will be able to access your data without using a password. Under no circumstance should these devices be exposed directly to the Internet or it will certainly be scanned and hacked by bots.

I regret spending a large amount of money on an EX4. Time to strip the drives and setup FreeNAS.

1 Like

I know this and I fully understanding you. WD is suсks :-1:
I won’t buy their products anymore.

I’m doing something similar but not solely from a security perspective, but also stability perspective. My EX4100 is very unreliable with a tendency to lock up frequently. I logged requests with WB to get certain kernel modules enabled by default in the firmware that would greatly assist in troubleshooting the cause of the lockups, but fell on deaf ears. In the process this weekend of moving my data to a QNAP, so hope this will be a better experience.

Cheers,

JediNite