UPnP by definition allows mapping one port number to another port number. This is extremely dangerous under ANY circumstance in my opinion. It does provide a quick and dirty way to resolve various issues in a simple way for common users which is why it is so much on consumer devices. Anyone with enterprise knowledge knows UPnP is never allowed.
2 Likes
So, do I understand correctly, that the port 80 of MyBook #1 gets forwarded as port 1234, and the port 80 of MyBook #2 gets forwarded as port 4567 , and then an attacker can do a port-scan and send HTTP requests to http://xx.xx.xx.xx:1234/REST/api/ā¦ to exploit CVE-2018-18472 ?
2 Likes
Cameras all work on local network when I am in the house. Spookily, my Ring doorbell access still works when local and remote?? Is there a difference apart from Ring doorbell had no connection to NAS but security cameras used to FTP upload every few hours. Any other makes of NAS with a simple FTP programme?? Synology seems very complicated with DDNS required etc. Not sure I had to do all that with MBL to make FTP work?? What are other buying instead of MBL??
The only thing weāre going to be able to do is vote with our wallets. Iāve already bought a new NAS (Synology) and put a Seagate drive into it. No more WD for me.
I donāt think disabling remote access and auto updates was enough. I think people had UPnP enabled at some point and even after they shut it off perhaps their router left the ports open.
What make/model router/modem do you have? Is NAT turned on? Is the firewall on and how is it set?
I think if those that were affected share more router info we might get to the bottom of the attack vector.
I have my router with no ports forwarded, NAT turned on, Firewall set to āmediumā for whatever thatās worth, UPnP disabled and I was never attacked and Iām still up and running 24/7 as we speak.
See here -
Like the manual says: Push the button for four seconds
1 Like
If UPnP is turned on both the WD settings and enabled on the router, an nmap port scan will expose the open ports. Thatās a hole straight from the Internet and into the WD device and at that point the only thing stopping compromise is the WD device. And, as we know, the WD devices were vulnerable so they got compromised.
UPnP shouldnāt be used on routers. Thereās been FBI bulletins telling everyone to turn them off because theyāre a blaring security risk.
And, yes, even just a simple Shodan search can find potential targets:
What kind of router do you have? You said UPnP was off. Do you mean the settings in the WD device, the router, or both? Are there any forwarded ports on your router?
You said UPnP is enabled on the router, but is it enabled on your MBL? I assume it probably is since your have remote access on the MBL enabled.
What kind of router/modem do you have? Is NAT turned on? Are firewalls enabled and set to a medium or above setting? What ports does your router show are forwarded?
The devices are sending stuff to WD even if they arenāt doing auto updates. If you put a block rule on your firewall for that device as the source, all sorts of stuff will show up.
1 Like
Strangely, when I restricted the MBL in this way, it was still communicating with the internet.
One thing Iāve found with attempting to block the MBL on my ISP router/modem is itās still able to communicate out, but it appears nothing is coming in. As a test, I ran a WD phone app outside my local network with its cellular connection and couldnāt connect to the MBL so that is somewhat reassuring. I know the phone app works because it does connect to the MBL on the local network just fine.
So far Iāve been running with UPnP disabled on both the WD device and the router with no open ports forwarded. NAT on the router is enabled and the firewall is set to āmediumā for whatever that is worth. I also set up a custom service blocker of all ports and applied it to the WD device just in case that helps. No attacks so far and itās been on 24/7 since reports of the attack started. YMMV of course. It could be the attackers have backed off for now and the only reason Iām not getting compromised is because of that.
One reason I would think is anyone comes into your house with a compromised phone, tablet, or PC and your WD device would be vulnerable. You can reload the operating system with a more modern one if you can find a version of Debian or Openwrt that is supported. The only issue is it will be easier to replace the whole device with something from a more enterprise line that will be supported for longer than home grade stuff.
Donāt trust it. The way most firewalls work you might appear blocked until the device itās self establishes a connection with the outside world. The state of inbound connections is blocked, but the firewall will almost always allow responses to solicited connections from the inside.
That just is not practical for common user. Most families donāt have someone in the family with enterprise knowledge.
Itās not as hard as you think. Something from the entry level from Synology or Qnap will be almost as easy as WD and you wonāt likely have everything wiped out by hackers. Same goes for NAT routers. Always go for something with more enterprise grade features, you might not need them, but in the event you do, you can just google how. Enterprise often means ābetterā and not āharderā. As someone who works with enterprise storage, networking, and data, weāre a lazy bunch. If everything was harder here we wouldnāt be in this career path.
Also, just for fun, I answer dozens of questions on reddit everyday (and so do 1000ās of others like me). Itās actually how I ended up in this WD Saga 
Bingo! And yes it is really that simple for such a bad security exposure CVE-2018-18472. A security rating of 9.8/10 in the enterprise would be stop everything fix / remediate immediately. In this case turn off the device and migrate to different device without such unfixable exposure.
1 Like
Hi, I said UPnP was ON at the router which is an Asus RT-AC68U. There were no forwarded ports on the router, I only used upnp for transmission running on the MBL. I just turned it off today based on @Skyscape 's comments, and will reconfigure manual port forwarding.
I donāt trust it either. The data I have on my MBL is redundant and therefore expendable. However, so far so good.
And yes, the way NAT works when it communicates outward to a source it can allow communication back in from the same source and if WD has a compromised server somewhere you would be hosed. However, on top of NAT I also have the separate Firewall turned on within the router as well as a custom port blocking service I applied to the MBL after plugging it back in yesterday just to be extra cautious. It blocks every port possible coming in.
Will it all work? Time will tell, but itās been on non-stop since backing up my stuff and no issues yet.
I have an Asus rt-ac68u. NAT is of course turned on. Firewall is of course on. Nothing forwarded now, but I just turned off upnp so Iāll have to manually configure port forward to transmission running on the MBL.
1 Like
Turn Transmission off on the MBL. It should have 0 exposure to the external world. Plus that ancient of a version of Transmission is also going to be riddled with holes. Time for an upgrade.
1 Like
