Latest firmware still vulnerable

Unsaid, unless I missed it, the exploitee.rs and sec-consult.com reports do not seem to mention the first gen single bay My Cloud v4.x firmware.

"vulnerable version: at least: 2.21.126 (My Cloud), "

Just did the same with the gen 1 and gen 2 single bay My Cloud models. Hope I have the data and formulas input right.

So as not to compare apples and oranges, the PR series is newest, and when new, the FW releases come more frequently at first. The EX/DL series were released at same time over two years earlier, and as the devices (stabilize?) FW releases are less frequent.

From this article it state:
“News of this #EpicFail came from SEC Consult Vulnerability Lab which published an advisory on Tuesday after someone named Zenofex went public with full details of the flaws. Here’s the kicker: SEC Consult warned WD back in January that it had uncovered holes in the My Cloud firmware, and gave the vendor 90 days to fix the bugs before it would reveal its findings to the world. Clearly that never happened. But it’s a safe bet with all this negative press that Western Digital is going to fix this real bloody quick. Which is a shame as it should never get to this point before companies do the right thing.”

What the Heck!!! WD knew of this over 90 Days ago! According to the 2 Charts above, by dsw42 and Bennor (Thanks to both), this should have been fixed already. Apparently WD does not care about us (Customers) or, it seems, it’s reputation.

The mentioned “Create a Support ticket” in an earlier post by Staff, about vulnerability, means nothing. WD doesn’t even heed the warnings from the SEC Consult Vulnerability Lab as it appears.

WD, what about MS?? They supposedly pulled/delayed the February security updates because of problems some users were having but stated later they’d just skip them for the month!

Yes it would follow that WD (and most other manufacturers) will update their newer product firmware before updating their older products. I wasn’t attempting to make a comparison between the PR series and the single bay series, rather just posting the data so others can get a feel for the time interval (such that it is) between firmware updates for the single bay My Cloud units. Currently WD averages about two months between firmware releases for the single bay My Cloud units.

Yep the beta and older firmware module versions used in the single bay/single drive My Cloud units has been a repeated complaint in this subforum. People also gripe about Twonky being out of date as well.

see my post here:
https://community.wd.com/t/please-update-the-packages-of-the-my-cloud-nas/191818

they don’t care :frowning:

He-he…
I have WD MyCloud Gen2 and WD MyCloud Mirror (Gen1 & Gen2).
All worked on Kernel v4.4.8(Marvell/armada-17.02.2) and latest Debian Jessie with all latest software updates.

Hmm… maybe port firmware from WDMC Gen1 (v03.x, based on Debian Wheezy) and upgrade it to Debian Jessie + WD Bin’s from v2.xx firmware? Its possible, but need too many changes in WD part…

guys, is there a way to know if I was compromised and hacked? ´My device was on with cloud access enabled… is there a log? Or could I see the changes resulting when i have being hacked?

how can I have antivirus installed on the NAS?

If I restore the device, will I get rid of a potentially access of the attacker(s)?

Most AV programs installed to a computer will allow you to run a custom scan. If so just select the Share(s), or the mapped drive, or the entire My Cloud and run a scan.

If you have the v2.x firmware version single bay My Cloud units one may be able, with a little hacking using SSH, to add a third party AV scanner like the more expensive My Cloud units can use.

https://community.wd.com/t/wd-mycloud-gen2-enable-apps-install-tab-apps/177885

oh, in the app section in the dashboard dont look so, I only have HTTP and FTP there. Why? My device is 2 Gen

Officially the gen 2 single bay/single drive My Clouds DOES NOT support adding third party modules like the My Cloud Mirror and more expensive My Cloud units support. Which is why there is the unofficial hack mentioned above that allows for some/many of the third party modules to be installed or added to the gen 2 single bay My Cloud units.

ok, thanks for clarifying

What can I do to stay as safe as possible with My Cloud NAS on my home network?
Can I use these guidelines, or should I simply turn off My Cloud and wait for an update?

Proposed guidelines:

  1. Turn off Remote Access in My Cloud dashboard.

As its probably not safe simply turning off Remote Access, I must also:

  1. … turn off access to Internet if at least one machine has access to My Cloud.

  2. Don’t expose my external IP-address to hackers.

It it about time for a official guideline / best practice!

I’m not holding my breath on that one. Wd has NEVER step forward with anything for help a temp solution, I’m sure they don’t trust their own devices either.

Since I’m sure you all have read the statement I posted over the last couple of days, I won’t post the entire content. However, we have added this statement below as an edit.

In addition to the login bypass issue we addressed earlier and which was reported by both Steven Campbell and exploitee.rs, we have architected a solution to the new login bypass identified by exploitee.rs. We are currently internally testing this solution and anticipate it will be released soon. That release also will contain scheduled fixes, including for the unauthenticated command injection issues previously and responsibly identified by security researchers SEC Consult and Securify and recently disclosed by exploitee.rs.

2 Likes