Latest firmware still vulnerable

aolidjkas · April 17, 2017, 8:17pm

Any updates on when the My Cloud Mirror Gen 2 will get an update? Getting sick of having a $300 paper weight.

Myron · April 18, 2017, 8:06am

Out of curiosity, if using the MyCloud service and now opening any ports to it from the Internet thus using WD’s relay service, would not not mitigate the problem? Nothing will be able to attack your My Cloud Mirror from outside your network and you will still be able to use the WD apps to access your files from elsewhere.

Just don’t set-up a port forwarded My Cloud connection.

Does that make sense?

ultra_maximum · April 18, 2017, 8:30am

d_fens · April 18, 2017, 10:05am

I really like how much WD has learned from the recent events and years,
they communicate the pulled firmware openly and care about the worries of their customers and value the worth of the data stored on the My Clouds they sell as a secure alternative to dropbox etc.
If you find any sarcasm, store it on your not-fixed my cloud so anybody can access it.

aolidjkas · April 18, 2017, 4:59pm

Based on my understanding no, the attack vector is through a browser on a computer attached to the same network. As long as the device is accessible over the same network as a computer browsing the internet, its open to being completely compromised. The security bulletin from SEC consult (Vulnerability Lab - SEC Consult) recommends disconnecting from the network, and notes of no known workarounds. I’ll happily be corrected, but after substantial back and forth with WD support they provided no potential work arounds, and ended up telling me (after incorrectly noting there was an update for my device) to monitor this forum for updates.

d_fens · April 20, 2017, 8:40am

I updated to 4.05.00-315 without issues, I used the iPhone-App on the go.
I like taking risks

Wierd_w · April 20, 2017, 8:46am

I am intending to perform a rather radical mod on my gen2 tomorrow, that should allow me to alter the data in the webroot (and thus introduce some sanity checking)

I will see if I can patch my box myself. Wish me luck. Thank you for the security bulletin that outlines the attack vectors. I can test to see if I have successfully closed my box after doing the needful. Back tomorrow.

Bennor · April 20, 2017, 9:51am

In case people missed it WD put back up the announcement(s) for new single bay firmware 4.05.00-315 & 2.30.165 (4/19/17). They also posted updated firmware for the My Cloud Mirror Gen2. Both were previously pulled by WD on April 13th for some reason.

New Release - My Cloud Mirror Gen2 Firmware 2.30.165 (4/19/17)
New Release - My Cloud Firmware Versions 4.05.00-315 & 2.30.165 (4/19/17)

TM2017 · April 20, 2017, 8:45pm

Are there still critical vulnerabilities in this version?

lordmage · May 16, 2017, 1:59pm

yes read above

cska133 · May 16, 2017, 8:35pm

Where above?

lordmage · May 17, 2017, 2:59pm

cska133 · May 17, 2017, 5:21pm

Oh, this is great so i still can not turn on my My Cloud device

Bennor · May 17, 2017, 5:46pm

It should be noted that there apparently hasn’t been a retest posted yet from that group testing the latest firmware. As such its not certain what if anything has been fixed or is still a potential attack vector as related to what Sec-Consult.com has found. That link is from 2017-03-07.

Myron · May 17, 2017, 9:14pm

Trying to understand here. A computer on the Internet (or WAN) side of the router is not on the same network, therefore relatively safe? There would need to be a compromised computer on the sane network (subnet) as the NAS?

Is this correct?

lordmage · May 18, 2017, 4:11am

you are correct once a system inside the router is affected the whole network is affected

Wierd_w · May 18, 2017, 4:28am

Which is why sensitive networks use a DMZ.

If an attacker gets past the firewall, they land inside the DMZ, and need to spend additional attack time to get out of it, and into the actual privileged LAN. This gives you time to halt (and ability to quickly quarantine) the outside connection, and contain any malware spread before it sets fire to your infrastructure.

Myron · May 18, 2017, 8:04am

So, at the moment it’s not a major problem. Just make sure the computers are maintained correctly and the users educated. Not much to be worried about? I don’t use the DMZ on the router and just forward the needed ports.

laserfocus · June 17, 2017, 9:35pm

Can you explain what you mean by “maintained correctly”?

Is this issue still a problem now? Is there a good summary of what to do?

Turning it off the only real solution?

cpt_paranoia · June 17, 2017, 10:52pm

Since WD haven’t identified which vulnerabilities they have fixed in the latest firmware, and which they haven’t, it’s really hard to say what is the best thing to do.

Not to mention the SambaCry vulnerability that has recently been identified, and been shown to be the basis of active attacks on systems running Samba. Other NAS vendors have released patched firmware to plug this vulnerability. WD have not.

I currently have my device with cloud access disabled.