Latest firmware still vulnerable

thanks.
actually what I ment was on the hardware side… I remember somewhere in the forum here it was mentioned to disable UPnP in the router. Or am I wrong?

Do what on the hardware side? Improve security? There’s not much you can about that, since it’s the firmware that handles the vulnerable protocols.

I recommend disabling UPnP control of router ports, as it prevents rogue software opening ports in your router, thus providing an external access mechanism. That’s still firmware/software, though, not hardware…

One would still be disabing UPnP via firmware on the My Cloud (/etc/init.d/upnp_nas stop) or better on the router itself. Some routers have an option to disable UPnP.

One can try to turn off UPnP via SSH on the My Cloud by issing the /etc/init.d/upnp_nas stop command. Depending on which My Cloud version you have you can put that command into a CRON or user-start file to try and stop UPnP on the My Cloud. Use the forum search feature to search for how to stop UPnP as there is probably some past discussion on it in the discussions on the sleep issue.

and what is better or what has less consequences: disabling UPnP on the router side or on the MyCloud device? Because disabling on the router has effect on all future connections. On the Mycloud device this should influence only the device. Or am I wrong?

Can we fork a discussion of Gulftech vulnerabilities into it’s own thread? A number of us are waiting on the firmware that addresses this particular vulnerability set.

This thread is started out referencing a much older vulnerability & is currently about the merits of UPnP.

There are those who recommend turning off UPnP within the router for security reasons. For example:

http://www.techtipsforyou.com/2015/05/keep-your-home-wifi-network-safe-upnp.html

One will need to decide if UPnP is worth having enabled on the router or not.

Probably a good idea. Probably would require forum staff to split the thread though. Otherwise someone can simply start a new thread on the GulfTech vuln and have the discussion on that particular vuln continue there.

Disabling UPnP control of firewall ports puts control into the hands of the router admin: you.

It is important to distinguish between UPnP traffic and UPnP control; disabling UPnP control of the router does not prevent UPnP traffic. So you can still use your router for UPnP/DLNA media streaming.

The consequence is that you will have to manually open ports for external traffic you do want, but that generally isn’t too hard.

Pass it to your solicitor.

Weird, a new year and several months since I decided to just unplug my mycloud 4tb and disconnect it etc - I thought, I will go back to Western Digital’s forum and see how they are deeming the security of the devices that they have manufactured and sold, along with it’s software… to find the latest round of complete cluster f&*ks that Western Digital clearly are.

You know what amazes me; the average domestic user will not use the internet to search for “how secure is a western digital my cloud” before they actually purchase the item and yet, Western Digital have carried on selling these devices, with it’s software for several months since the last round of global stated vulnerabilities… this really is akin to fraud by deception by Western Digital on all who have purchased these devices.

It is wholly unacceptable in today’s climate, for such a large company as WD to take security flaws / vulns so incredibly lightly, when they are even given disclosures on a plate… ONE HUNDRED AND EIGHTY DAYS and still no contact with the disclosee… WOW!

Class Action Anybody? I also will now look into how this sits with the Data Protection Regulator here in the UK, especially with the General Data Protection Regulation (GDPR) only been 5 months away from being enforcable.

Admittedly, WD don’t host one’s data to my knowledge, it’s on the device that sits on one’s local network but it is still a question worth having with them. Namely, to see where GDPR sits in regard to this actual type of manufacturer > consumer structure of such devices and a complete disregard for the consumers abiltiy to keep their data secure enough i,e, 180 days since receiving a security disclosure.

Additionally, these devices are no doubt often purchased by smaller businesses and hence GDPR would come into play so much more, than domestic purchasers of WD personal cloud devices. Also, these are physical devices in our posession, as opposed to Cloud Storage one pays a company for, to host and supposedly keep one’s data safe on one’s behalf.

I’m so utterly pissed with Western Digital, more than the last time I was here and found out how bad the device that they sold me was for vulnerabilities!!!

Let me in a room face to face with a Western Digital C-level memer of personnel, oh I would love that!

Oh, yeah! I have few words to them too!
Where have they found such awkward developers?

1 Like

We have posted an update in regards to this topic on the Western Digital Blog.

https://blog.westerndigital.com/western-digital-cloud-update/

Previously reported security vulnerabilities related to certain My Cloud products had been disclosed by a security researcher directly with our team in 2017, and critical issues mentioned in these recent articles (gulftech.org; thehackernews.com) were addressed in 2017 with firmware update v2.30.172 and above. Other issues are being addressed in future updates.

One of those issues currently being addressed for a future update is that certain My Cloud models (only with firmware versions 2.xx but not My Cloud Home) with default settings could be exploited by a sophisticated hacker in the unlikely event such hacker has access to the owner’s local network; or, if the My Cloud owner has enabled Dashboard Cloud Access (certain models*) or enabled additional port forwarding to such My Cloud devices. To mitigate this issue, we strongly recommend that My Cloud owners who have made such changes disable the Dashboard Cloud Access and ensure their router and My Cloud device are secure by disabling additional port-forwarding functionalities. All affected My Cloud owners should restrict local network guest access only to people they trust. We are working on a firmware update for this issue and will make it available on our support download site as soon as possible. As always, we encourage users to contact Western Digital customer support should they need help updating their device. If you wish to contact customer support directly, please visit this page. You may need to use the “Change country” link on that page to find the most appropriate phone number for your location.

It is important to note that the My Cloud Home model architecturally is designed new from the ground up and we are not aware of any vulnerability to the security issues listed in the respective reports.

As a reminder, we urge customers to ensure the firmware on their products is always up to date; enabling automatic updates is recommended. We also urge you to implement sound data protection practices such as regular data backups and password protection, including to secure your router when you use a personal cloud or network-attached storage device.

Western Digital works continuously to improve the capability and security of our products, including with the security research community to address issues they may uncover. We encourage responsible disclosure by customers and researchers to ensure our customers are protected while we address valid vulnerabilities.

*Models with Dashboard Cloud Access:

My Cloud EX2
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud EX2 Ultra
My Cloud DL2100
My Cloud DL4100
My Cloud PR2100
My Cloud PR4100
My Cloud Mirror
My Cloud Mirror Gen 2
Dashboard Cloud Access:

The Dashboard Cloud Access feature is available under Settings->General->Cloud Access.

Port Forwarding: Port forwarding of HTTP connections should disabled on the My Cloud device and the router. On My Cloud devices the port-forwarding feature is available under Settings->Network->Port Forwarding and can be used only if the connected router supports uPnP.

@WD_MCH

Lance, can I suggest that it might be an idea for WD to post a sticky thread on the relevant sub-forums, identifying the status of disclosed CVEs, their exploit risk, and suggested mitigations, and in what firmware CVE vulnerabilities have been closed.

At the moment, all we have to go on is vague statements in the firmware release notes, which rarely identify specific CVEs.

1 Like

@cpt_paranoia

Thanks for the suggestion. I will check with the product teams to see if we have more detailed info available.

If WD take product security seriously, they REALLY ought to know the status of EVERY reported CVE relevant to their products.

The impression most forum users have gained over the last few years is that, sadly, WD do not take product security seriously; I really shouldn’t have to be telling WD how to communicate product security status to your customers, it should be glaringly obvious.

1 Like

Just to add now it has gone mainstream;

I just wanted to update you all on this issue. We have released a new FW available today for manual download and installation. It will be available for pushed OTA FW update next week. Please see the post below.

Also regarding the hardcoded admin user and password. This issue was resolved in 11/17 FW 2.30.172 release.

Any chance of a download link…?

The Download link is in the original post copies below for your convenience

My Cloud Firmware Update 4.05.00-320 & 2.30.181

4.05.00-320 was released last November. Not today.

Firmware Release 04.05.00-320 (11/28/2017)

Do you have a link to the new firmware released today for manual download…?