Latest firmware still vulnerable

The 2nd gen, v2.x single bay My Cloud units uses different firmware that is not compatible (due to the hardware used on the 2nd gen) with the first gen My Clouds. The 2nd gen uses a form of BusyBox.

Did they completely rewrite the web ui for gen 2? The bug is in the web endpoint. Not in the drivers or the underlying service (e.g. Busybox). Companies tend to not rewrite the entire software stack between generations since it can be cost prohibitive.

The firmware will be incompatible if the bundled drivers are different even if the web interfaces are all the same.

I’ll be happy to test it out if WD lends me a gen 2 hardware.

Alternatively, if any of the staff here who is on WD’s payroll and owns WD gen 2 can give me consent for testing the proof of concept exploit payload, that works too. We can find out in a few seconds.

Not to pile on top of the 85 security issues reported on Engadget today. But the issues I reported almost 2 years ago is different and is still unpatched! So total vulnerability count in my cloud is closer to 90 now. I’m sure there’s double or triple that floating around that I’m not aware of.

They should rename my cloud to public cloud :slight_smile:

If you look inside the firmware - you will understand at once why bugs are so long corrected… It will be difficult to understand this heap of bad stuff even the pro!
And look at source code! Its bunch of slops!

Edith,
I agree, this poor response of WD to your reporting the security risk is shameful. Maybe you should try this sort of tactic:

A few years ago, I received a text message placed on my PC’s DESKTOP. I ran it rhrough Norton Security before I opened it, and glad I read it! Someone unbeknownst to me, had discovered a security issue in my (and all) Asus routers. After I received this message Asus had a new firmware ready within a few days! Here is a jpg of that text file:

Sadly, even with good intentions guerilla tactic can land you in jail. So it’s not an option. I’d say contact Amazon. Best Buy, Walmart, etc and ask them to temporarily halt sales until a fix is on the horizon, No one should be buying a product with 90+ publicly known security vulnerabilities with no ETA for a fix.

Also, hopefully a matter of time before FTC steps in. Here’s what happened to Asus not too long ago… Feds spank Asus with 20-year audit probe for router security blunder • The Register

20 years of security audit probe.

I think that the safest measure is to power off my MyCloud until the vunerabilities are fixed. I will check back on a monthly basis and see if WD acknowledges and fixes the exposure.

1 Like

Western Digital is aware of recent reporting of vulnerabilities in its My Cloud family of products, including related to vulnerabilities previously reported by Steven Campbell (https://www.stevencampbell.info/2016/12/command-injection-in-western-digital-mycloud-nas/) that were addressed with the firmware update made available on December 20, 2016 (Software and Firmware Downloads | WD Support). We are reviewing the recent exploitee.rs report and based on a preliminary evaluation, a change to address one exploitee.rs reported issue has already been made in the December update. Additionally, if we determine the report has identified any new issues, we will address those soon based on the severity of the issues, the existence, if any, of ongoing attacks, and the potential customer disruption of an unscheduled update. We recommend My Cloud users contact our Customer Service team at https://support.wdc.com/support/case.aspx if they have further questions; find firmware updates at Software and Firmware Downloads | WD Support; and ensure their My Cloud devices are set to enable automatic firmware updates.

Western Digital appreciates and encourages disclosure of potential vulnerabilities uncovered by security researchers such as Steven Campbell under the responsible disclosure model practiced by the security community. This balanced model acknowledges the contributions of security researchers, allows Western Digital to properly investigate and resolve concerns, and most importantly protects our customers from disclosure of exploits before a patch is available. As evidenced by our work with various researchers such as Steven Campbell, Versprite and others, we work closely with the security community to address issues and safely meet our customers’ needs. If exploitee.rs had followed this model as other security researchers have and contacted us with that spirit in mind prior to publishing their report, they would have known of our current work and progress toward a resolution in this case.

[Edit 3/14/17]

In addition to the login bypass issue we addressed earlier and which was reported by both Steven Campbell and exploitee.rs, we have architected a solution to the new login bypass identified by exploitee.rs. We are currently internally testing this solution and anticipate it will be released soon. That release also will contain scheduled fixes, including for the unauthenticated command injection issues previously and responsibly identified by security researchers SEC Consult and Securify and recently disclosed by exploitee.rs.

Bill, I want to believe your statement. But we both know it’s not true. Why haven’t you fixed the security issues I responsibly disclosed 2 years ago?

At least from the outside WD only appears to take action when it either 1) hurts their bottom line or 2) there is a huge PR nightmare.

Please start by fixing security issues that has been outstanding for 2 years… then we can talk. Good?

1 Like

Edith,

FYi, the tactic I suggested above was tongue-in-cheek; I just wanted you to know the lengths some people have gone to, to wake up a manufacturer to security issues they have swept under the rug.

THANKS for giving the link to the Asus debacle article; I never saw it, and it is exactly the issue I received the WARNING text for. BTW, my text msg is dated Feb.5, 2014. In fact, the article mentions the group that broadcast the issue to Asus router users:

“As a result, hackers had a field day. In February 2014, a hacking team used free tools to scan for Asus router IP addresses and found 12,937 vulnerable bits of kit and slurped the login credentials for 3,131 AiCloud accounts before posting them online.”

All this reminds me, I have to update the FW of my Asus router again!

This is precisely why I dissuade my customers from buying a My Cloud…because WD either can’t or won’t produce a secure, functional product.

Don’t be too hard on Bill_S, though. I’d guess he’s part of the WD social media team, and probably doesn’t have a direct link to the actual development group. And it’s more than clear that the code muppets don’t read this forum.

1 Like

So, what do you suggest your customers buy?

Cloud storage and a USB HDD.

Hmm, no NAS of any kind. Interesting, well, to each his own.

Heh. The vast majority of my customers are not technically sophisticated enough to configure and manage a real NAS.

…and because of that, WD should take care of the security of these end-user devices,
but it’s painfully outdated, they only fix if sth. does not work.
as I said years ago: It is no alternative for cloud storage, because e.g. dropbox updates their servers for you…

newbie here. So if I’ve got Cloud access disabled on the units dashboard, is it still vulnerable ? I’ve turned the device off for the moment, but if I want to copy it’s contents back out to a USB drive, am I better waiting until the fixes have been made, or is it ok to use to copy stuff off, with cloud access disabled. The unit is in my own network behind a firewall. thanks for assisting.

Keep “Cloud Access” off and you should be OK. If this WD fix for security is like all the rest of them it will be quite awhile. You just need to keep internet access off … as long as you are on you local network.

Its not clear if simply turning off Cloud Access/Remote Access is enough. Its possible, from the sounds of the following post in another thread, that the My Cloud may still be vulnerable even with Cloud Access/Remote Access turned off.

https://community.wd.com/t/reporting-security-vulnerabilities/96387/8