Latest firmware still vulnerable

Read post #174

You may:

  • disable remote access on mycloud ui
  • block internet access to mycloud hdd on your router (by mac or ip)
  • disable httpd service

But nobody can assure that all this will be enough.

@ultra_maximum
@dswv42
Thanks a lot, guys, for this very useful advices and input!:+1:
I know, there is no 100% securtity - but at least it helps me to decrease the risks…

Thanks :wink:

“Million dollar question” do you know when they will release a new version?

A crystal ball seems to be needed for this…

Most here are users/customers just like yourself. We do not work for WD so we have no clue or idea when WD will (if ever) release new firmware for the other WD My Cloud versions (they’ve only released firmware for three other models currently) that address some or all of the publicly reported security vulnerabilities. Keep an eye on the following page for updates as well as the current subforum:

https://community.wd.com/c/announcements-and-discussions/news-announcements

On a side note we did a little speculating at one point with posting firmware release dates in either this or the other discussion on the vulnerabilities. See the following two posts earlier in the current thread.

https://community.wd.com/t/latest-firmware-still-vulnerable/96743/114

https://community.wd.com/t/latest-firmware-still-vulnerable/96743/115

Unfortunately for the single bay/single drive My Clouds WD decided that users cannot set the main Public Share to Private through the Dashboard, meaning there will always be one Public Share that anyone can access on the My Cloud if one can gain access to the My Cloud.

Currently one would have to use SSH to modify the firmware files to disable the Public Share or change its settings. Its something that has been complained about several times in the past.

https://community.wd.com/t/public-share-public-access-on/96854

https://community.wd.com/t/removing-public-share-wd-mycloud/137086

The Cloud Ideas request (so far unheeded by WD):

https://community.wd.com/t/manage-public-share-user-access-at-least-a-read-only-option/97231

I just checked your link.
For two days there are additional updates for Mirror, EX2, EX4.

Not yet for EX2Ultra I need…

WD is committed to… (please complete the sentence) :wink:

…not give updates :grin:

…sit on one`s hands! :sunglasses:
That is it what they are able to do perfectly…

@dswv42
This is the best info a saw on this forum :smile:

More news, cross your fingers!

Please be informed that the firmware update version 2.30.165 for single bay My Cloud devices will be released tomorrow.

Where and when was this posted or indicated by WD?

Today from WD support by mail.
I opened a case last week.

“The #MyCloud affair shows that a good responsible disclosure process is key. Not sure how to implement RD? Checkout https://rdteam.nl
source: https://twitter.com/RemcoVermeulen/status/839129729181630465

this one is nice: “The WD product #MyCloud has a nice name… Indeed, “Your cloud” is now “My Cloud” :slight_smile: #0day

Vendor contact timeline:

2017-01-18: Contacting vendor through “WD Support - Create a Support Case”
page (https://support.wdc.com/support/case.aspx?lang=en).
Assigned ticket number - Deleted
2017-01-19: Vendor: replies to the ticket asking for more clarification.
2017-01-20: Replied to the vendor, requesting security contact and encryption keys
2017-01-23: Vendor: “we don’t have a security department that we could forward
this concern”
2017-01-23: Telling support that there seems to be a security contact by
referencing other WD advisories, requesting security contact again
2017-01-24: Vendor: asking for affected product name and firmware version.
2017-01-24: Providing list of affected product name and firmware versions,
requesting security contact again
2017-01-25: Vendor: informs us that they “have already escalated the case from
their back end team”, they will update us.
2017-03-07: Public disclosure of advisory

Source: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170307-0_WD_MyCloud_OS_cmd_injection_file_upload_v10.txt

2017-04-06: still no update for all models :confused:

@ d_fens,

Are you stating that you contacted WD Support via a “Support Case” and in their response (5 days later) they stated “we don’t have a security department that we could forward this concern” This is going on 3 months after you submitted a Support Case! … WoW!!!, this isn’t good at all :frowning:

@SectorGZ no, it was a quote from: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170307-0_WD_MyCloud_OS_cmd_injection_file_upload_v10.txt

Oh OK will be interesting to see if we see anything today for the v2.x single bay My Cloud users. Wonder if we’ll see anything for us older v4.x My Cloud users?

WD has released (on 3-30-17) updated firmware for three My Cloud models (Mirror, EX2, EX4) that; “Resolved critical security vulnerabilities”. It appears the Sec-Consult.com group hasn’t yet retested those three models to see if the exploits were patched. It appears that txt link is the one posted back on 3-7 and hasn’t been updated with any new information.

Hopefully they’ll revisit the updated firmware and retest to see if the vul’s are actually patched.

Summarizing this is going to be a PR disaster for WD meanwhile.
I have had a good opinion from this company - formerly. Meanwhile I`m back on the ground disillusioned …