I ran OpenVAS on my LAN and it was able to get root access on my NAS. The vulnerabilities here Western Digital MyCloud - Exploitee.rs have not been fixed.
The version of libupnp WD uses is 1.6.6 and contains multiple buffer overflow vulnerabilites (CVE-2012-5958, CVE-2012-5959, CVE-2012-5960, CVE-2012-5961, CVE-2012-5962, CVE-2012-5963, CVE-2012-5964, CVE-2012-5965) and needs to be updated to version 1.6.18.
Additionally, the Twonky server web console has no protection on MyCloud. You can see this by visiting http://your_nas_ip:9000/.
I know this is cheap quality consumer grade hardware but these vulnerabilities are unacceptable and undermines any of the security features advertised.
Is there an ETA for each of these items to be fixed? OpenVAS came back with other vulnerabilities but the ones listed above will lead to remote compromise and that’s what I can’t accept.
In the meantime, while we’re vulnerable I’d like to setup additional logging and monitoring. Does MyCloud support logging web access and general syslog to a remote syslog server? Thanks.
Based on that evidence I’m not going to hold my breath waiting for patched firmware.
For anyone reading this thread that may not fully understand what we’re talking about, allow me to rephrase the issue.
There are serious security problems on WD’s MyCloud product line. The nature of the problems show security was not given sufficient attention during the design of the software.
The data on your WD should not be considered private. Anyone on your home/office network will be able to access your data without using a password. Under no circumstance should these devices be exposed directly to the Internet or it will certainly be scanned and hacked by bots.
I regret spending a large amount of money on an EX4. Time to strip the drives and setup FreeNAS.
I’m doing something similar but not solely from a security perspective, but also stability perspective. My EX4100 is very unreliable with a tendency to lock up frequently. I logged requests with WB to get certain kernel modules enabled by default in the firmware that would greatly assist in troubleshooting the cause of the lockups, but fell on deaf ears. In the process this weekend of moving my data to a QNAP, so hope this will be a better experience.