I’m new to the forums. I registed because I’m concerned about security.
We use the DL4100 in our office and today a colleague passed me a link to a blog post that says the My Cloud has “command injection” vulnerabilities. He said that it can be used to steal our files or destroy it.
Is my device vulnerable and is there a patch coming out soon? I have firmware version 1.06.133.
I tried the reboot example on the DL4100. Nothing happened and I got back from the NAS . . .
<core><error_code>401</error_code><http_status_code>401</http_status_code><error_id>57</error_id><error_message>User not authorized</error_message></core>
Thank you for testing. But, maybe you have to login first? If I understood the article correctly then you have to be logged in first. A hacker would send you a link to exploit it or another user would upload a large file that would do the same thing.
Unfortunately I cannot test this on my own device since I am away from my office ATM.
Could be. This would be the mitigating factor. It would require the hacker(s) to get you to log in to the NAS and for the approproate cookie or other information to be set to tell the NAS that the browser used is authorised to access the NAS at the user’s provilage level.
Say, for the DL and EX nas’s if using from a Public hotspot then an attacker-in-the middle could piggy-back or hyjack a session if access the UI from outside the LAN, but I have noticed that one can access the NAS using SSL. If using Mozille’s Firefox then you can tell the browser to make a permanant exception for the NAS’s own certificate.
Still, it’s a massive security issue. Someone at WD who wrote that code quite possibly has a very late night and forgot to add validation and now willl be paying the price for being a bit lazy.
I think WD should now be taking time to audit all their code to check for attach vectors and fix them.
Thank you for that Myron. Attacking me while I am logged in might be a long-short but I assume that it could happen.
How about the issue with big files (more than 2GB in size) with a name like $(sudo reboot).txt? My biggest worry here is that any user of this device can run commands like root. So, wouldn’t that compromise my data or any one else’s data on the device? We set up permissions for a reason, you know ;)Thank you.-Jason
I posted an announcement about the Verisprite blog in the My Cloud forums. The link is below. We have taken this seriously and will be releasing the fixes with the next firmware update coming out by the end of this month.
My Cloud OS 3 was released to the general public on 09/21/2015 and fixes the command injection issue.
Sorry but what is this “my cloud os3”?
My dl2100 says it is up to date and has firmware 2.x.
Im still confused. Is it a os number for GUI or the firmware number or what is it?
My Cloud OS 3 includes the ecosystem (Firmware, Mobile Apps, Web Files on wd2go.com, WD Sync, WD Access, etc)
2.10.310 is the latest My Cloud OS 3 firmware release for the DL2100