Latest firmware still vulnerable

Any updates on when the My Cloud Mirror Gen 2 will get an update? Getting sick of having a $300 paper weight.

Out of curiosity, if using the MyCloud service and now opening any ports to it from the Internet thus using WD’s relay service, would not not mitigate the problem? Nothing will be able to attack your My Cloud Mirror from outside your network and you will still be able to use the WD apps to access your files from elsewhere.

Just don’t set-up a port forwarded My Cloud connection.

Does that make sense?

I really like how much WD has learned from the recent events and years,
they communicate the pulled firmware openly and care about the worries of their customers and value the worth of the data stored on the My Clouds they sell as a secure alternative to dropbox etc.
If you find any sarcasm, store it on your not-fixed my cloud so anybody can access it.

Based on my understanding no, the attack vector is through a browser on a computer attached to the same network. As long as the device is accessible over the same network as a computer browsing the internet, its open to being completely compromised. The security bulletin from SEC consult (https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170307-0_WD_MyCloud_OS_cmd_injection_file_upload_v10.txt) recommends disconnecting from the network, and notes of no known workarounds. I’ll happily be corrected, but after substantial back and forth with WD support they provided no potential work arounds, and ended up telling me (after incorrectly noting there was an update for my device) to monitor this forum for updates.

I updated to 4.05.00-315 without issues, I used the iPhone-App on the go.
I like taking risks :smiley:

I am intending to perform a rather radical mod on my gen2 tomorrow, that should allow me to alter the data in the webroot (and thus introduce some sanity checking)

I will see if I can patch my box myself. Wish me luck. Thank you for the security bulletin that outlines the attack vectors. I can test to see if I have successfully closed my box after doing the needful. Back tomorrow.

In case people missed it WD put back up the announcement(s) for new single bay firmware 4.05.00-315 & 2.30.165 (4/19/17). They also posted updated firmware for the My Cloud Mirror Gen2. Both were previously pulled by WD on April 13th for some reason.

New Release - My Cloud Mirror Gen2 Firmware 2.30.165 (4/19/17)
New Release - My Cloud Firmware Versions 4.05.00-315 & 2.30.165 (4/19/17)

Are there still critical vulnerabilities in this version?

yes read above

Where above?

Oh, this is great :frowning: so i still can not turn on my My Cloud device

It should be noted that there apparently hasn’t been a retest posted yet from that group testing the latest firmware. As such its not certain what if anything has been fixed or is still a potential attack vector as related to what Sec-Consult.com has found. That link is from 2017-03-07.

Trying to understand here. A computer on the Internet (or WAN) side of the router is not on the same network, therefore relatively safe? There would need to be a compromised computer on the sane network (subnet) as the NAS?

Is this correct?

you are correct once a system inside the router is affected the whole network is affected

Which is why sensitive networks use a DMZ.

If an attacker gets past the firewall, they land inside the DMZ, and need to spend additional attack time to get out of it, and into the actual privileged LAN. This gives you time to halt (and ability to quickly quarantine) the outside connection, and contain any malware spread before it sets fire to your infrastructure.

So, at the moment it’s not a major problem. Just make sure the computers are maintained correctly and the users educated. Not much to be worried about? I don’t use the DMZ on the router and just forward the needed ports.

Can you explain what you mean by “maintained correctly”?

Is this issue still a problem now? Is there a good summary of what to do?

Turning it off the only real solution?

Since WD haven’t identified which vulnerabilities they have fixed in the latest firmware, and which they haven’t, it’s really hard to say what is the best thing to do.

Not to mention the SambaCry vulnerability that has recently been identified, and been shown to be the basis of active attacks on systems running Samba. Other NAS vendors have released patched firmware to plug this vulnerability. WD have not.

I currently have my device with cloud access disabled.