I need to report a vulnerability

subsonic · October 8, 2016, 9:49pm

I need to report a vulnerability in WD MyCloud EX2 devices. Who do I contact?

SBrown · October 9, 2016, 12:28am

@subsonic I will PM you.

subsonic · October 18, 2016, 11:14pm

Hey. Any updates on the status? I know it may take a while, I was just wondering if there’s any feedback.

SBrown · October 19, 2016, 1:36am

Hello,

The information provided has been submitted to our security teams for analysis.
Have you a CVE number to share?

subsonic · October 19, 2016, 2:13am

I don’t have a CVE number to share. I’m not sure if I should be reporting it for a CVE or letting WD do that and mention me in the credits. I didn’t want to report this for a CVE without coordinating with WD. I believe in responsible disclosure. My concerns are first and foremost responsible disclosure, giving WD ample time to review and fix the issue before I disclose it publicly, followed by my desire to get credit for any related CVE. Please advise on WD’s process for reporting vulnerabilities and assigning CVE’s. Thanks

SBrown · December 13, 2016, 11:13pm

@subsonic

My Cloud firmware 2.21.126 has been released to the field for the following products.

What’s new!

• Resolved security vulnerability related to remote access.
• Improved My Cloud Cloud connectivity across My Cloud web, mobile & client apps.

My Cloud (Single Bay 2.xx firmware)
Firmware Release 2.21.126 (12/13/2016)
http://download.wdc.com/nas/My_Cloud_GLCR_2.21.126.bin

My Cloud Mirror Gen2
Firmware Release 2.21.126 (12/13/2016)
http://download.wdc.com/nas/My_Cloud_BWVZ_2.21.126.bin