Latest firmware still vulnerable

  Glad you’re taking security more seriously but you should really have a direct line of communication available with security team. I’ve shared the vuln with your support a while back but the vuln is still alive and well… I can take over my cloud drive with the latest firmware.

2 Likes

Are you able to reproduce the steps to “take over” your WD My Cloud from outside your network?

I think the best approach to this would be to direct Edith’s observations to the relevant team. I get the distinct impression she knows what she’s talking about, and isn’t just some casual punter like the rest of us…

Remember the WD Glasnost:

http://community.wd.com/t5/My-Cloud/Potential-Security-Vulnerabilities-with-My-Cloud-Personal-Cloud/td-p/898578

"We sincerely thank James Sibley of VerSprite for coordinating with WD to responsibly disclose this concern in a manner that puts WD¹s customers and their security first. We highly value and encourage this kind of responsible community engagement and collaborative problem-solving because it ultimately benefits our customers by making our products better. We encourage all security researchers to report potential security vulnerabilities or concerns to WD Customer Service and Support at http://support.wdc.com."

Hello,

We have passed this along to support

EdithKain wrote:

  Glad you’re taking security more seriously but you should really have a direct line of communication available with security team. I’ve shared the vuln with your support a while back but the vuln is still alive and well… I can take over my cloud drive with the latest firmware.

We have been trying to contact you about this, but you have not responded.  Is there a reason?

I sent an email on October 3rd, 2015 at 10:19AM PDT revealing the 2 vulns to Sam. Like I said, you probably want to setup a mail address for reporting sec issues to avoid confusions.

Thanks Edith,

Some of us were unaware you had contacted Sam.  They let us know right away.

Bill

As for the delay (2days), I apologize for the inconvenience… But I already expended some energy (more than I should) reaching out, sent the vuln detail once prior, and not to be snarky… But I do have a job that pays me which always takes precedence over this. So you’re welcome for reporting this yet again on my weekend down time :). /rant

We’re definitely looking into the vulnerability issue now.  And, yes, snarkiness is accepted.  :smiley:

Good morning Edith,

The information that you’ve reported is being analyzed by our development and security teams.

Thank You,

Samuel Brown

So it’s been 8 months and your device is still vulnerable to user -> administrator elevation via xss. Also non user of WD can remotely enable remote access on the device without creds to the device. A bit negligent to leave this unpatched for this long don’t you think? Any updates?

1 Like

In addition to posting to your thread you should, if you haven’t already, contact WD directly per their request.

We encourage all security researchers to report potential security vulnerabilities or concerns to WD Customer Service and Support at http://support.wdc.com

https://community.wd.com/t/my-cloud-dns-security-vulnerability-4-15-16/160289

Hi, what version of the firmware are you using? Also, we have passed this along to support.

Afaik it’s the latest as of today - v04.04.03-113.

WD should have all the details. I shared it with them on 3 occasions via phone and email. It’s been 8months since then.

Here’s a screenshot showing script injection into the console by a non admin user.

http://imgur.com/BF6jiq0

WoW!! this isn’t good at all :disappointed:

To Edith … although your original post was last October (Hard to believe nothing has been done about this), I Thank You for bringing this to WD’s attention again. Hopefully someone at WD will take this seriously.

Jesus…
Seems that I need to start visiting this forum more often.

@EdithKain
Please elaborate a little bit better.

This issue is related with cloud access, NAS only or with that poor apps?
Everyone is exposed to it or we need some specific settings?

Thanks.

WD support wants a dump of my router log to troubleshoot a simple xss I’m trying to report… [Deleted]?

It does come across as distinctly amatuerish.

But then so does their entire product family development path. If I were WD’s CEO, I’d be taking a serious look at my dev team.

Apparently WD support wants to ban me for saying “what the f…” In my last reply. So I guess I’ll be posting in a different forum not controlled by WD. If I was WD I’d want the responsible security folks on their forum. But apparently WD cares more about clean language in their forums than gaping security holes in their product. Fun times.