Hacking the Western Digital MyCloud NAS

Interesting article:

https://blog.exploitee.rs/?p=750

I hope very much, that WD is working on the exploits already and has fix ASAP.

This article does not bring the best light on my beloved NAS company…

1 Like

Western Digital is aware of recent reporting of vulnerabilities in its My Cloud family of products, including related to vulnerabilities previously reported by Steven Campbell (https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/) that were addressed with the firmware update made available on December 20, 2016 (https://support.wdc.com/downloads.aspx?lang=en#firmware). We are reviewing the recent exploitee.rs report and based on a preliminary evaluation, a change to address one exploitee.rs reported issue has already been made in the December update. Additionally, if we determine the report has identified any new issues, we will address those soon based on the severity of the issues, the existence, if any, of ongoing attacks, and the potential customer disruption of an unscheduled update. We recommend My Cloud users contact our Customer Service team at https://support.wdc.com/support/case.aspx if they have further questions; find firmware updates at https://support.wdc.com/downloads.aspx?lang=en#firmware; and ensure their My Cloud devices are set to enable automatic firmware updates.

Western Digital appreciates and encourages disclosure of potential vulnerabilities uncovered by security researchers such as Steven Campbell under the responsible disclosure model practiced by the security community. This balanced model acknowledges the contributions of security researchers, allows Western Digital to properly investigate and resolve concerns, and most importantly protects our customers from disclosure of exploits before a patch is available. As evidenced by our work with various researchers such as Steven Campbell, Versprite and others, we work closely with the security community to address issues and safely meet our customers’ needs. If exploitee.rs had followed this model as other security researchers have and contacted us with that spirit in mind prior to publishing their report, they would have known of our current work and progress toward a resolution in this case.