This vulnerability was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.30.172. This issue is not limited to the model that was used to find this vulnerability since most of the products in the My Cloud series share the same (vulnerable) code.
Yep. Here we go again. Another vulnerability reported to WD and no action publicly taken to fix the apparent vulnerability (for over a year). From the securify.nl article:
Tested versions
This vulnerability was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.30.172. This issue is not limited to the model that was used to find this vulnerability since most of the products in the My Cloud series share the same (vulnerable) code.
Fix
There is currently no fix available.
Timeline
09 April 2017: Discovered vulnerability.
10 April 2017: Reported to Western Digital customer support.
…: No more vendor response
17 September 2018: Requested CVE
18 September 2018: CVE-2018-17153 assigned
18 September 2018: Published details
The following proof of concept demonstrates an attack abusing a user’s browser to remotely compromise (emphasis mine) a MyCloud device on a local network.
What I’m interested in knowing is whether this is going to be fixed by WD for My Cloud v1 (or whatever this model version was) as I think I did buy it nearly 5 years ago and it might be seen (by Western Digital, obviously) as reaching its EOL now…
Thanks for an update. I had a look at this link you supplied and can see neither My Cloud WDBCTL0020HWT 2TB model (confirmed as vulnerable in my OP above), nor 4 GB version (WDBCTL0040HWT) that I own.
Care to clarify this?
Would it also not be a good practice to list all vulnerabilities under the same link to ensure that you are aware of them all (and address either)?
@krzemien
My Cloud (Single Bay) WDBCTL with firmware string 04.0x.00-xxx is not affected
My Cloud (Single Bay) WDBCTL with firmware string 2.xx.xxx is affected
From SBrown’s link above it appears only the second gen Mirror has a fix. It is possible that like the first gen single bay My cloud the first gen Mirror may not be affected. Hopefully @SBrown can comment specifically on the first gen Mirror.