Latest firmware still vulnerable

Not quite sure what you are asking here. Are you looking for a way to prevent someone from accessing the My Cloud using (for example) http://wdmycloud? Are you looking to block it network wide or just on the local computers?

I suppose, although I haven’t tried it, one could (if using Windows) edit the HOSTS file to route http://wdmycloud to IP address 127.0.0.1. That might still allow access to the My Cloud using the My Cloud’s IP address but not using the My Cloud name.

http://helpdeskgeek.com/how-to/block-websites-using-hosts-file/

Our HDD, by default, has wdmycloud as name.

If someone code a webpage with, by example, a hidden frame that points to wdmycloud and run any of the exploits that we saw on this thread, an attacker could take control of our HDD remotely if we visited that webpage.

If we change the name by another one we solved the problem. The attacker will not find our HDD.

It’s easy to change the name on the configuration.

Prior to these, I disabled remote access, I fixed the IP on the configuration and I blocked access on the router with an IP rule.

Even if you change your MyCloud name from default, bad guys can still find it by proxying through your browser. Here’s an example video. https://youtu.be/DZqM6IZQtlM

Note, this video just shows how a bad server on the internet can find your WD My Cloud on your local network by scanning your network via your browser. It doesn’t perform the subsequent attack. This is utilizing by-design functionality in the browser so there’s nothing to patch.

TLDR: Changing your My Cloud server name to something unique won’t protect you because the attacker can just scan your network via your browser.

Ok EdithKain, thank you, but are there any method to disable the My Cloud web UI?

I think bennor mentioned you could ssh to kill httpd. Personally, I’d just power off the device and not use it since there’s too many issues with it.

Yes it was either me or someone else who suggested one could stop the Apache2/HTTPD service. Don’t know how effective that would be at securing the device though.

One can stop the Apache2/HTTPD service using SSH to issue the following command:
service apache2 stop
To restart the service:
service apache2 start

One could further modify the My Cloud startup files to stop the service from starting or turning it off after it starts.

More on securing WD My Cloud while we’re waiting for a patch…

I have discovered that if I block Internet access to HDD over ip (on the router) this disables at least samba access on the local network.

Has anyone tried access by NFS while internet access blocked by firewall?

And the clock keeps ticking…

We’re at 24 days now and counting with no official release from WD fixing the latest reported security vulnerabilities other than updated firmware for three models that was subsequently removed from auto download and official download. We are also at 24 plus days and counting with WD at the very least being up front and explaining to users what they can do to mitigate these security vulnerabilities while awaiting a firmware fix.

I’ve went ahead and patched my NAS.

Here’s what I did.

Ripped out the Red drive from My Cloud, threw away My Cloud hardware, bought Syncology Diskstation from Amazon, put the extracted red drive in to Syncology drive bay.

Boom, 90 publicly known security bugs mitigated :slight_smile:

I can guarantee you not all security bugs will be patched by WD. I reported the remote My Cloud takeover vulns 5 times over the past 2 years. These are seperate from the 85+ bugs publicly disclosed recently. Here’s the canned message I received each time -

Thank you for contacting Western Digital Customer Service and Support.

Please accept our apologies for the inconvenience you are experiencing, I am happy to assist you with your inquiry.

I have escalated the case to my supervisor for further assistance. Please allow 12 - 48 business hours for an update regarding this matter.

Guess what, after months and months of waiting, the supervisor never followed up. Same story each time I reported. If you’re not on a budget I’d dump WD and get something else.

It was a joke.

Not saying it’s perfect but I’ll gladly pick the product with a few functional bugs over one that has dozens of publicly disclosed and unpatched remote code execution vulnerability.

Priorities right? :slight_smile:

So what did you end up with?

Are those files and directories really that big of a deal? Windows created Thumbs.db files, macOS .DS_Store and other weird stuff. Dropbox has something like that. KDE creates files in folders.

How big are they? And since DSM is using mostly btrfs now, I wonder if they are really a big deal.

When I copy something from my Mac to an FAT drive, I get a ton of ._[Filename] files. Which is also very annoying.

Fellows,I appreciate all your personal efforts and measures to find ways to protect your NAS against accessing by third parties from the web.

But: I wonder if and/or when WD(!) will be able to provide a working and protecting new OTA-update for all their devices finally!?
Till now only a over-hasted half-baked update that was pulled back a few hours after its release... and that is the status till today! So lets wait and pray.... Im a little bit pissed about this behaviour of WD, sorry to say…

I’ll be on the same boat if WD does not solve all security bugs in a near future.
Like EdithKain I think that the best alternative could be Synology or maybe Qnap, on my case, DS216j, using WD My Cloud hdd on the Synology.

All products have their own disadvantages but I cannot use a product that is insecure by default.

To be honest I have had enough of Western Digital. To me it is apparent that they do not take the MyCloud customers data seriously. It has been shown that Western Digital knew of these security issues since last December and only when this was made public and also posted on this forum they are appearing to close the gap.

I have been an owner of 2 MyClouds since 2014 and have many, many issues. It seems every firmware causes more issues because of no benchmarking/testing …. Safepoints quit or lost, USB issues/incompatibility, security, web access, and more. I have talked to support and sometimes they help, but most of the time you have to get to a level 2 or 3 before anything promising can happen. This takes days to accomplish and many non productive hours.

If you are unlucky enough to have a Gen1 and Gen2 mixture of MyClouds then you find they operate differently and what works on one does not mean that it will work on the other. This was a total surprise to many of us, not to mention the confusion it has caused in what firmware version to use for newbies. I guess what I am saying is, it appears Western Digital has taken a half-Baked approach to us, our data, our security, our well being with their product.

I realize that no NAS Manufacturer or their line of products is perfect, and that includes Western Digital. It also appears to me that most others take security issues to a different level of importance. I know I own the lower line of WD MyClouds but that does not mean we are the last to get attention/support/help on any level. My data and functionality is just as important to me as any SOHO/Business.

I am in the process of purchasing another Brand of NAS and moving forward. I seriously can’t justify, to myself, the frustration I feel towards the MyCloud and Western Digital. This has not been a pleasant experience at all.

Have the feeling, that all these WDMyCloud-stuff is only an unbeloved vehicle for WD to sell their HDDs. And so they are treating the firmware - and finally the "stupid" customers. As soon as there will be an irresistable offer for a Syn... or Qn... - Im gone!

Some news from WD:

Our engineering team is aware of this issue and a firmware update to fix the issue will be made available this week.

This week ends tomorrow…

I’ll guarantee you they won’t fix all security issues. How do I know? The supervisors at WD never followed up to get the vulnerability details from me. And I tried reporting it like 5 times over the past 2 years.

These security bugs are different from the 85+ issues that were publicly disclosed.

I might post a video with the latest firmware showing it being taken over next week… or whenever the new firmware is released.

1 Like

Do it! We’ve to show it them.
Maybe posting at reddit could work, or talking with engadget

Yes; you’ve given them more than enough opportunity. It’s time to make their failings as public as possible. They will only take action if their public perception is damaged. It’s quite clear they really aren’t concerned about reports posted on this forum; not public enough.

The only way to get them to take effective action is to threaten their sales.