Latest firmware still vulnerable


#62

I have kept my Cloud Access on all along, and will continue to do so, because everything on my DL2100 is a COPY of files stored elsewhere on other drives. It’s basically media files. I figure the likelihood of anyone finding my NAS online has the same probability of a meteor hitting my house, anyway. If my NAS is found, they can download the whole enchilada; big deal. I know, there are other possible outcomes as well, but I like to live dangerously.


#63

Could WD issue an guideline what to do and when to expect the update?!
like any professional acting company should do it :confused:
(…after they ignored they 60 day grace time etc…)


#64

That would be the right thing to do but I won’t expect it, I also don’t expect an update in the near future (this month), which fixes all issues.


#65

This is interesting:

https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170307-0_WD_MyCloud_OS_cmd_injection_file_upload_v10.txt

Unbelievable…
Do not store any sensitive data on these devices

"
Business recommendation:

By combining the vulnerabilities documented in this advisory an attacker
can fully compromise a WD My Cloud device. In the worst case one could steal
sensitive data stored on the device or use it as a jump host for further
internal attacks.

SEC Consult recommends not to attach WD My Cloud to the network until
a thorough security review has been performed by security professionals and
all identified issues have been resolved.
"

:confused:


#66

Yikes. Unbelievable indeed. :open_mouth:


#67

‘2017-01-23: Vendor: “we don’t have a security department that we could forward this concern”’

That pretty much sums up WD’s attitude to security. It’s a disgrace, and the sooner the FCC investigate them, the better.


#68

Fortunately, the statement above is false.

… including related to vulnerabilities previously reported by Steven Campbell (https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/1) that were addressed with the firmware update made available on December 20, 2016

Western Digital appreciates and encourages disclosure of potential vulnerabilities uncovered by security researchers such as Steven Campbell under the responsible disclosure model practiced by the security community. This balanced model acknowledges the contributions of security researchers, allows Western Digital to properly investigate and resolve concerns, and most importantly protects our customers from disclosure of exploits before a patch is available. As evidenced by our work with various researchers such as Steven Campbell, Versprite and others, we work closely with the security community to address issues and safely meet our customers’ needs. If exploitee.rs had followed this model as other security researchers have and contacted us with that spirit in mind prior to publishing their report, they would have known of our current work and progress toward a resolution in this case.


#69

Just to clarify for others, taking down “Cloud Access” (although probably a good idea), will NOT make you safe.
The problem is in the web interface of the WD box - it allows a malicious website (or application) to execute arbitrary code on the box. You don’t have to be logged in to the web interface, the exploit works even when you’ve never accessed the web interface from your browser :-/ The only thing needed is that the WD box and browser happen to be on the same network; it may be just a friend who came for a visit and connected their device to your wifi.
One possible mitigation option is to login via ssh, take down httpd, but that will only work until next device reboot. Plus, that’s quite a difficult task for a typical user.


#70

I have a POC and a video of it which shows your WD My Cloud content being exfiltrated with remote access / cloud access TURNED OFF from the internet. Yeah, turn off the drive.

It’s been about 2 years since WD was notified of the original vulnerability. I’m going to go with “WD doesn’t have a security team”. Even if it did, they’re highly negligent which makes it worse than not having a security team. Asus got hit with 20 years of punitive measure for negligence. I’d be careful what WD states in public forums. It might be safer/cheaper to state the truth.


#71

WD staff, etc. getting “defensive” in forum does not make for good karma. Best to remain silent, or continue to say “we are working diligently on the issues”, or better yet, “All problems are solved, you can turn on your My Clouds of all types again”.


#72

So… Seems like WD cant fix this errors and my alternative firmware is only one option (Debian + OMV).


#73

your statement is correct for exploitee.rs, but SEC contacted WD (or at least tried to) in a fair way,
but time passed by and nothing happend, it seems that the procedures for this kind of contact are not known to your support team.


“Western Digital appreciates and encourages disclosure of potential vulnerabilities uncovered by security researchers”
so why’s there no dedicated e-mail-address with a PGP key? I said this years ago in this forum.


#74

Looks like I’ll go back to old fashioned USB connected to my TV to access my media files (although no doubt there’s probably some dodgy security hole in my Smart TV as well :wink: … Terrible service from WD IMHO


#75

Thanks for the info Bennor :slight_smile: … interesting reading for sure and I totally agree … Yikes!!!

All this makes the MyCloud just about worthless :frowning: If you can’t even trust the MyCloud with “Cloud Access” off and using it locally then what the heck are we suppose to do? - Unplug your router from the internet -> Turn on the MyCloud -> upload/download/backup or whatever else you need to do -> Turn off the myCloud and unplug it from your network -> re-plugin your router and proceed as normal?


#76

Yes. Just get rid of My Cloud entirely and look elsewhere. This is embarrassing from WD. They need to build MyCloud OS from scratch most likely.


#77

Correct, the exploit(s) are apparently still there even with Cloud Access disabled. As you indicated one could use SSH to stop the HTTPD service within the My Cloud, possibly even using a CRON job or S98user-start file (for v4.x firmware) to stop the HTTPD service upon startup or restart.

There are also probably several other methods that one can use to isolate the My Cloud on the local network to control access to the device. Like using firewall rules and separate LAN/IP address segments among other things.

But all of these things are probably going to be way above the average user’s knowledge or comfort zone. And there in lies the major problem and major issue at hand. By not addressing these security issues quickly (or at all), and not giving the user information on how to secure their My Cloud while new firmware is being tested, WD is leaving many My Cloud customer’s vulnerable to having their potentially sensitive information compromised.


#78

so if I want to copy stuff off the WD Cloud device to a USB, it’s best I disconnect the internet as it’s doing it ? or could I put in an IP rule for the WD Cloud not to allow external access ?


#79

So why do your Support teams say it?

Why have you failed to address security issues identified by Edith Kain? Her attempts to get WD to respond to her concerns is very revealing of WD’s attitude.

Stop bleating about us being unfair to you, and get on and fix the 90 vulnerabilities that have been identified by white hat investigators. And be grateful to them.


#80

This issue of security flaws is totally appalling no matter how you look at it. A lot of us have been through many, many issues with the MyCloud … we have stayed here to help one another … we have contributed in so many countless ways and yet this is how we are treated.

For God’s sake someone from WD acknowledge this issue and let us know what to do with these devices. Many of us have more than one device and deserve some help. Not that having more than one device means anything other than we have entrusted WD with our data and supported WD … wouldn’t it seem WD should do the same by supporting us.


#81

… and I bought newly MyCloud exactly because of the WDs security and seriousity , then cheers :angry: