Latest firmware still vulnerable

Also from that Gulftech.org link comes the following which is interesting to read.

–[ 04 - D-Link DNS-320L ShareCenter

As I have mentioned earlier in this article, I found it peculiar that
the username used for the backdoor is “mydlinkBRionyg”, and that the
vulnerability in Section 1 of this paper refers to a non existent file name
of “mydlink.cgi”. This really piqued my curiosity, and so I started using
google to try to track down some leads. After searching for the term of
“mydlink.cgi” I came across a reference to a post made by a D-Link user
regarding their D-Link DNS-320L ShareCenter NAS device.[2]

Within that post were references to file names and directory structure that
were fairly unique, and from the D-link device. But, they also perfectly
matched my WDMyCloud device. The more I looked into this the weirder it
seemed. So, I gained access to a D-Link DNS-320L ShareCenter. Once I had it
things became pretty clear to me as the D-Link DNS-320L had the same exact
hard coded backdoor and same exact file upload vulnerability that was
present within the WDMyCloud. So, it seems that the WDMyCloud software
shares a large amount of the D-Link DNS-320L code, backdoor and all. There
are also other undeniable examples such as misspelled function names and
other anomalies that match up within both the WDMyCloud and the D-Link
DNS-320L ShareCenter code.

It should be noted that unlike the WDMyCloud the D-Link DNS-320L is
currently NOT vulnerable to the backdoor and file upload issues, so you
should upgrade your DNS-320L firmware as soon as possible as the issues can
be leveraged to gain a remote root shell on the DNS-320L if you are not up
to date with your device firmware. The backdoor was first removed in the
1.0.6 firmware release. (July 28, 2014)

It is interesting to think about how before D-Link updated their software
two of the most popular NAS device families in the world, sold by two of
the most popular tech companies in the world were both vulnerable at the
same time, to the same backdoor for a while. The time frame in which both
devices were vulnerable at the same time in the wild was roughly from early
2014 to later in 2014 based on comparing firmware release note dates.

According to CVE-2017-17560 (12/12/2017), 2.30.172 is vulnerable to unauthenticated upload to anywhere in the entire filesystem, where uploaded code can be executed as root.
https://nvd.nist.gov/vuln/detail/CVE-2017-17560

I think it doesn’t get much worse than that.

Because my MyCloud is powered-off already more than 1 year since I read this posting here, unfortuntunatly I forgot how it works… if I disable the remote access will I be able to access my data on the MyCloud when I am in my home network? Also, can I then login into the dashboard the change settings for example?

No it doesn’t get much worse then that, other than the fact that WD will probably take their sweet time as in months (just like in the past) to issue a firmware update to fix this latest round of vulnerabilities.

If one disables Cloud Access via the My Cloud Dashboard Settings all one is doing is turning off the remote access capabilities (not FTP though as that is a separate setting) of the unit. One will still have local network access to the device including Dashboard access.

ok, that is good.
But still, which are other steps (beside of disabling remote access) to reduce the vuln. risk of MyCloud?

Simple steps are to ensure your network is secure by using strong WiFi password(s). Do not allow any guests to access the network (wired or WiFi). Turn off Guest WiFi if router supports it. Review router port forwarding settings and remove any unneeded port forward entries. Make sure all computers connected to the local network are using antivirus/antimalware/security software that is up to date and to run scans often/weekly to keep computers clean of viruses and malware.

from http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125 :

"
2017-06-16
A period of 90 days is requested by vendor until full disclosure.

2017-12-15
Zenofex posts disclosure of the upload bug independantly of my research [3]

2018-01-03
Public Disclosure"

good work WD! keep it up. always commited keeping our data safe :joy:

thanks.
actually what I ment was on the hardware side… I remember somewhere in the forum here it was mentioned to disable UPnP in the router. Or am I wrong?

Do what on the hardware side? Improve security? There’s not much you can about that, since it’s the firmware that handles the vulnerable protocols.

I recommend disabling UPnP control of router ports, as it prevents rogue software opening ports in your router, thus providing an external access mechanism. That’s still firmware/software, though, not hardware…

One would still be disabing UPnP via firmware on the My Cloud (/etc/init.d/upnp_nas stop) or better on the router itself. Some routers have an option to disable UPnP.

One can try to turn off UPnP via SSH on the My Cloud by issing the /etc/init.d/upnp_nas stop command. Depending on which My Cloud version you have you can put that command into a CRON or user-start file to try and stop UPnP on the My Cloud. Use the forum search feature to search for how to stop UPnP as there is probably some past discussion on it in the discussions on the sleep issue.

and what is better or what has less consequences: disabling UPnP on the router side or on the MyCloud device? Because disabling on the router has effect on all future connections. On the Mycloud device this should influence only the device. Or am I wrong?

Can we fork a discussion of Gulftech vulnerabilities into it’s own thread? A number of us are waiting on the firmware that addresses this particular vulnerability set.

This thread is started out referencing a much older vulnerability & is currently about the merits of UPnP.

There are those who recommend turning off UPnP within the router for security reasons. For example:

One will need to decide if UPnP is worth having enabled on the router or not.

Probably a good idea. Probably would require forum staff to split the thread though. Otherwise someone can simply start a new thread on the GulfTech vuln and have the discussion on that particular vuln continue there.

Disabling UPnP control of firewall ports puts control into the hands of the router admin: you.

It is important to distinguish between UPnP traffic and UPnP control; disabling UPnP control of the router does not prevent UPnP traffic. So you can still use your router for UPnP/DLNA media streaming.

The consequence is that you will have to manually open ports for external traffic you do want, but that generally isn’t too hard.

Pass it to your solicitor.

Weird, a new year and several months since I decided to just unplug my mycloud 4tb and disconnect it etc - I thought, I will go back to Western Digital’s forum and see how they are deeming the security of the devices that they have manufactured and sold, along with it’s software… to find the latest round of complete cluster f&*ks that Western Digital clearly are.

You know what amazes me; the average domestic user will not use the internet to search for “how secure is a western digital my cloud” before they actually purchase the item and yet, Western Digital have carried on selling these devices, with it’s software for several months since the last round of global stated vulnerabilities… this really is akin to fraud by deception by Western Digital on all who have purchased these devices.

It is wholly unacceptable in today’s climate, for such a large company as WD to take security flaws / vulns so incredibly lightly, when they are even given disclosures on a plate… ONE HUNDRED AND EIGHTY DAYS and still no contact with the disclosee… WOW!

Class Action Anybody? I also will now look into how this sits with the Data Protection Regulator here in the UK, especially with the General Data Protection Regulation (GDPR) only been 5 months away from being enforcable.

Admittedly, WD don’t host one’s data to my knowledge, it’s on the device that sits on one’s local network but it is still a question worth having with them. Namely, to see where GDPR sits in regard to this actual type of manufacturer > consumer structure of such devices and a complete disregard for the consumers abiltiy to keep their data secure enough i,e, 180 days since receiving a security disclosure.

Additionally, these devices are no doubt often purchased by smaller businesses and hence GDPR would come into play so much more, than domestic purchasers of WD personal cloud devices. Also, these are physical devices in our posession, as opposed to Cloud Storage one pays a company for, to host and supposedly keep one’s data safe on one’s behalf.

I’m so utterly pissed with Western Digital, more than the last time I was here and found out how bad the device that they sold me was for vulnerabilities!!!

Let me in a room face to face with a Western Digital C-level memer of personnel, oh I would love that!

Oh, yeah! I have few words to them too!
Where have they found such awkward developers?

1 Like

We have posted an update in regards to this topic on the Western Digital Blog.

https://blog.westerndigital.com/western-digital-cloud-update/

Previously reported security vulnerabilities related to certain My Cloud products had been disclosed by a security researcher directly with our team in 2017, and critical issues mentioned in these recent articles (gulftech.org; thehackernews.com) were addressed in 2017 with firmware update v2.30.172 and above. Other issues are being addressed in future updates.

One of those issues currently being addressed for a future update is that certain My Cloud models (only with firmware versions 2.xx but not My Cloud Home) with default settings could be exploited by a sophisticated hacker in the unlikely event such hacker has access to the owner’s local network; or, if the My Cloud owner has enabled Dashboard Cloud Access (certain models*) or enabled additional port forwarding to such My Cloud devices. To mitigate this issue, we strongly recommend that My Cloud owners who have made such changes disable the Dashboard Cloud Access and ensure their router and My Cloud device are secure by disabling additional port-forwarding functionalities. All affected My Cloud owners should restrict local network guest access only to people they trust. We are working on a firmware update for this issue and will make it available on our support download site as soon as possible. As always, we encourage users to contact Western Digital customer support should they need help updating their device. If you wish to contact customer support directly, please visit this page. You may need to use the “Change country” link on that page to find the most appropriate phone number for your location.

It is important to note that the My Cloud Home model architecturally is designed new from the ground up and we are not aware of any vulnerability to the security issues listed in the respective reports.

As a reminder, we urge customers to ensure the firmware on their products is always up to date; enabling automatic updates is recommended. We also urge you to implement sound data protection practices such as regular data backups and password protection, including to secure your router when you use a personal cloud or network-attached storage device.

Western Digital works continuously to improve the capability and security of our products, including with the security research community to address issues they may uncover. We encourage responsible disclosure by customers and researchers to ensure our customers are protected while we address valid vulnerabilities.

*Models with Dashboard Cloud Access:

My Cloud EX2
My Cloud EX4
My Cloud EX2100
My Cloud EX4100
My Cloud EX2 Ultra
My Cloud DL2100
My Cloud DL4100
My Cloud PR2100
My Cloud PR4100
My Cloud Mirror
My Cloud Mirror Gen 2
Dashboard Cloud Access:

The Dashboard Cloud Access feature is available under Settings->General->Cloud Access.

Port Forwarding: Port forwarding of HTTP connections should disabled on the My Cloud device and the router. On My Cloud devices the port-forwarding feature is available under Settings->Network->Port Forwarding and can be used only if the connected router supports uPnP.