Subject borrowed from El Reg:
More details here:
This vulnerability was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.30.172. This issue is not limited to the model that was used to find this vulnerability since most of the products in the My Cloud series share the same (vulnerable) code.
There is currently no fix available.
Thoughts?
Yep. Here we go again. Another vulnerability reported to WD and no action publicly taken to fix the apparent vulnerability (for over a year). From the securify.nl article:
This vulnerability was successfully verified on a Western Digital My Cloud model WDBCTL0020HWT running firmware version 2.30.172. This issue is not limited to the model that was used to find this vulnerability since most of the products in the My Cloud series share the same (vulnerable) code.
There is currently no fix available.
The following proof of concept demonstrates an attack abusing a user’s browser to remotely compromise (emphasis mine) a MyCloud device on a local network.
What I’m interested in knowing is whether this is going to be fixed by WD for My Cloud v1 (or whatever this model version was) as I think I did buy it nearly 5 years ago and it might be seen (by Western Digital, obviously) as reaching its EOL now…
Shocking enough this is already known publicly since March 2017 or even longer including various PoCs
Exploitee.rs » Blog Archive » Hacking the Western Digital MyCloud NAS (Login Bypass)
Western Digital MyCloud - Exploitee.rs
Not talking about all the other currently publicly known and unfixed vulns:
https://community.wd.com/t/security-vulnerability-cve-2016-6255-in-libupnp-allows-file-upload/176448
Edit
We are in the process of finalizing a scheduled firmware update that will resolve the issue, which doesn’t affect the My Cloud Home drive. Get more info on our blog, here: https://blog.westerndigital.com/western-digital-my-cloud-update/
Thanks for an update. I had a look at this link you supplied and can see neither My Cloud WDBCTL0020HWT 2TB model (confirmed as vulnerable in my OP above), nor 4 GB version (WDBCTL0040HWT) that I own.
Care to clarify this?
Would it also not be a good practice to list all vulnerabilities under the same link to ensure that you are aware of them all (and address either)?
@krzemien
My Cloud (Single Bay) WDBCTL with firmware string 04.0x.00-xxx is not affected
My Cloud (Single Bay) WDBCTL with firmware string 2.xx.xxx is affected
Thanks for clarifications.
Will there be a software update soon as well? Because honestly the WD My Cloud browser software is total garbage. No search function even.
is there going to be a fix for the my cloud mirror ?
the only fix for (CVE-2018-17153) that can be found is not for the first gen
From SBrown’s link above it appears only the second gen Mirror has a fix. It is possible that like the first gen single bay My cloud the first gen Mirror may not be affected. Hopefully @SBrown can comment specifically on the first gen Mirror.
My Cloud OS 3: September 2018 Security Hotfix Firmware Download
My Cloud Mirror, EX2 and EX4 2.11.xxx code line and auto updates for 2.30.xxx code line is scheduled to release very soon.
| Forums | News and Announcements | Register | Help | Forum Guidelines |
Copyright © 2021 Western Digital Technologies, Inc. All rights
reserved.
|
Trademarks
|
Privacy
|
Community Terms of Service
|
Site Terms of Use
|
Copyright
|
Contact WD
|