Latest firmware still vulnerable

WD called me 2-3 weeks ago, and I sent them the most important packages which needed updates. It seems they actually did it :smiley:

1 Like

@ d_fens,
Thank You for doing this :slight_smile:

But what strikes me as weird is they are calling Users to find out what their own system needs? … Really!! I can understand a bug or function not working properly and calling a user for the details, but, but, but …

I am thankful they are doing these things but look at what it took for WD to put into action what should have been doing in the first place … imho

Aren’t they aware of what risks they are putting their customers in?

1 Like

Oh I have no doubt that some in WD are very aware of the potential risks they are putting their customers in by having questionable firmware for their products. But like happens in so many businesses, its a financial decision on whether it is cost effective to patch the firmware for so many of their products. There are roughly 9 My Cloud models, with one of them using different firmware than the rest (first gen single bay v4.x My Cloud), and each of the other v2.x firmware models having possible different features/options. All that said it as we see so often it typically takes the companies security vulnerabilities being aired publicly for the bean counters to see fixing them as cost effective. We see this time and again with numerous electronics products.

Hopefully if the past recent firmware releases for the other models are any indication we could potentially see the firmware update for the single bay models in four days as the last two firmware releases for other models were five days apart. Or not.

Still no update for the single bay/drive my clouds.
It is getting hilarious, WD

According to Wikipedia, samba v4.4.0 was released 22/03/16, so v4.3.11 is at least a year old. Latest is v4.6.0, released 07/03/17.

At least it no longer appears to be just a release candidate…

New firmware released for the single bay My Cloud units…

https://community.wd.com/t/new-release-my-cloud-firmware-versions-4-05-00-315-2-30-165-4-13-17/202232

Created two separate threads for discussion on the new firmware. Links to the firmware can be found in the two discussions as well.

https://community.wd.com/t/firmware-4-05-00-313-discussion/202234

https://community.wd.com/t/firmware-2-30-165-discussion/202238

Yes there is much confusion as often evidenced in this My Cloud subforum. There are constantly people wondering why WD used the same name for two different models that each use different firmware and have slightly different Dashboard interfaces/options. When the gen 2 was released there were a bunch of us going; WHAT ON EARTH was WD thinking by using the same name. [shakes head]

Not to mention that, for legal reasons (someone else has the name MyCloud), it’s called WD Cloud in Japan…

I like the layout of the new FW for my DL2100. No problems so far. Hope all issues are fixed, but just have to “believe” for now.

Fine, do it, but the new FW is all I have to work with, and likely better than it was. Maybe if you fix it “good”, WD will want to hire you at big bucks…

I have a single bay, but I’m going to wait until a bunch of pioneers (beta test victims) go first…

I hear ya’ there … lol

the changelog says they use SMB3 protocol by default now. That should be a little interesting.

I don’t see any mention of fixing this old script injection hole though.

what are the consequences of the change?

SMB3 is newer, and is a little more efficient than SMB2. It also allows you to selectively disable oplocking, which can have some benefits under certain [rare to end user] circumstances. For most users, it will result in slightly improved file transfer speeds when transferring files with the protocol. However, it can also lead to some unusual behaviors, the specifics of which are not easy to discuss directly. For a full breakdown, I suggest more indepth research. It will also allow the NAS device to more readily be seen by newer versions of windows, like 8 and 10, and will speed up those OS’s ability to see the contents of a share, etc, especially if large numbers of shares, or large numbers of files are present.

SMB2 was introduced with windows XP. SMB3 is more win7 and newer.

Any updates on when the My Cloud Mirror Gen 2 will get an update? Getting sick of having a $300 paper weight.

Out of curiosity, if using the MyCloud service and now opening any ports to it from the Internet thus using WD’s relay service, would not not mitigate the problem? Nothing will be able to attack your My Cloud Mirror from outside your network and you will still be able to use the WD apps to access your files from elsewhere.

Just don’t set-up a port forwarded My Cloud connection.

Does that make sense?

I really like how much WD has learned from the recent events and years,
they communicate the pulled firmware openly and care about the worries of their customers and value the worth of the data stored on the My Clouds they sell as a secure alternative to dropbox etc.
If you find any sarcasm, store it on your not-fixed my cloud so anybody can access it.

Based on my understanding no, the attack vector is through a browser on a computer attached to the same network. As long as the device is accessible over the same network as a computer browsing the internet, its open to being completely compromised. The security bulletin from SEC consult (https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170307-0_WD_MyCloud_OS_cmd_injection_file_upload_v10.txt) recommends disconnecting from the network, and notes of no known workarounds. I’ll happily be corrected, but after substantial back and forth with WD support they provided no potential work arounds, and ended up telling me (after incorrectly noting there was an update for my device) to monitor this forum for updates.