Latest firmware still vulnerable

ultra_maximum · March 30, 2017, 5:58pm

Do it! We’ve to show it them.
Maybe posting at reddit could work, or talking with engadget

cpt_paranoia · March 30, 2017, 9:39pm

Yes; you’ve given them more than enough opportunity. It’s time to make their failings as public as possible. They will only take action if their public perception is damaged. It’s quite clear they really aren’t concerned about reports posted on this forum; not public enough.

The only way to get them to take effective action is to threaten their sales.

Bennor · March 30, 2017, 11:27pm

No they probably won’t unless they do a complete and full rewrite of the firmware from the ground up, which is probably a very expensive endeavor that they are very reluctant to do on the lower end consumer units because they probably don’t see much of an ROI at this time.

cpt_paranoia · March 31, 2017, 12:12am

I doubt it would require a full re-write. It would require a decent analysis of the code (much of which appears to have been done for them), and a proper programme of internal penetration testing. Updating packages would probably be sensible.

There is an ROI if it is made clear to buying public that, at the moment, they don’t care a hoot about security; they are still trying to sell more MyCloud devices.

Bennor · March 31, 2017, 12:54am

It may not require a full rewrite but doing so would potentially fix a lot of outstanding issues including old/beta modules/forks that are present in the current firmware. If this was a simple fix WD would have or could have done it already. Because they haven’t seems to indicate either a problem with code writing that cannot be easily surmounted, or it is a bean counting/corporate decision not to update the firmware to fix security issues and stick to what ever internal timeline they have for releasing My Cloud firmware.

Right now we are all just speculating because there is a lack of communications coming from WD on these security issues other than a generic acknowledgement they are aware of them. The same generic line they’ve been using for months now while these potential issues go unpatched.

SBrown · March 31, 2017, 3:18am

@Bill_S will post an official announcement in the morning… v 2.11.164 has been released for My Cloud Mirror, EX2 and EX4.

Firmware Version 2.11.164 (03/30/2017)
Resolved Issues:

Resolved issue of unable to toggle ON and OFF the product improvement option
Resolved issue of unable to create/import multiple users and groups
Resolved issue of unable to open a technical support case from the dashboard
.
Firmware
Version 2.11.163 (03/17/2017)
Resolved Issues:
Resolved critical security vulnerabilities.

d_fens · March 31, 2017, 7:09am

what about the other product lines?

SectorGZ · March 31, 2017, 9:44am

If it wasn’t so serious I would kinda laugh at this … Resolved critical security vulnerabilities. What vulnerabilities, How many are patched, what do you call critical? … Really!!, this is all the information for WD Customers?

ultra_maximum · March 31, 2017, 9:56am

Any updates for My Cloud?
No updates?

Walter_Walter · March 31, 2017, 10:02am

Vulnerability!? Who cares!!!

But the most important issue is solved now finally!!

To get user datas is much more important for… WD.
ironic mode switch off

Bennor · March 31, 2017, 10:43am

@SBrown, thanks for the response. Will the other My Cloud model be receiving an update? Or are only the three My Cloud models mentioned (Mirror, EX2, EX4) the models affected by the announced security vulnerabilities?

If other models are affected when will they be receiving a firmware update to fix these issues? If they will not be receiving an update soon (like within a day or two) what can customers do to mitigate any potential security vulnerabilities while they await WD to release a firmware update for their My Cloud model?

Walter_Walter · March 31, 2017, 12:29pm

My EX2Ultra is not showing me any new update via OTA hier in Germany?
So is it actually released? Or is it merely “announced” to get released?

SBrown · March 31, 2017, 2:27pm

@Bennor

@Bill_S will post an announcement when other My Cloud firmware are released

redjupiter · March 31, 2017, 6:07pm

Meanwhile if I disable remote access I should be fine?

cpt_paranoia · April 1, 2017, 12:58am

I note that Firefox v51 now reports that the password entry dialogue on the Dashboard is not secure.

Bennor · April 1, 2017, 1:25am

See the following Mozilla Support doc that explains this new “feature” In Firefox 51:

https://support.mozilla.org/t5/Protect-your-privacy/Insecure-password-warning-in-Firefox/ta-p/27861

Basically what it means is the page you are trying to enter a password on isn’t https://.
Use https://wdmycloud and you’ll see the Firefox warning no longer displays.

cpt_paranoia · April 1, 2017, 12:44pm

If I use https, Firefox tells me the MyCloud isn’t setup to support https on the Dashboard page…

Your connection is not secure

The owner of wdmycloud has configured their web site improperly. To protect your information from being stolen, Firefox has not connected to this web site.

wdmycloud uses an invalid security certificate.

Looks like I have to accept the invalid certificate. We’re back to the problem of WD not issuing valid SSL certificates, and legitimate web browsers warning users that they may be being spoofed.

SectorGZ · April 1, 2017, 3:56pm

While doing some investagtion I notice the the MyClouds are being removed from reviews. This is from “Wirecutter”:

Our previous runner-up was discontinued, so we retested the pick against three new NAS units to find our new runner-up pick, the Synology DiskStation DS216+II. We’ll do a more thorough update in mid-2017 once more new models are available. We’ve removed our “beginner NAS” pick, the WD My Cloud Mirror, until WD fixes recently disclosed security flaws.

Another article from hardocp.com states:

Interesting to see WD put this back on exploitee.rs for not “following” its security model. That said, the site did address exactly this in the story linked yesterday, and pretty much laid it out that WD’s security efforts are paltry at best.
Responsible Disclosure - At Exploitee.rs, we normally attempt to work with vendors to ensure that vulnerabilities are properly released. However, after visiting the Pwnie Awards at the last BlackHat Vegas, we learned of the vendor’s reputation within the community. In particular, this vendor won a “Pwnie for Lamest Vendor Response” in a situation where the vendor ignored the severity of a set of bugs reported to them. Ignoring these bugs would leave the vulnerable devices online for longer periods while responsible disclosure is worked out. Instead we’re attempting to alert the community of the flaws and hoping that users remove their devices from any public facing portions of their networks, limiting access wherever possible. Through this process, we’re fully disclosing all of our research and hoping that this expedites the patches to users’ devices.
My thought is that WD would have been better off to not shoot the messenger about its security issues, but rather fix it.

I never got a warning email about this … and my devices are registered.

EdithKain · April 1, 2017, 6:05pm

Offering TLS (SSL v3 is insecure btw) for an on-prem device at mass is a bit more complicated. Still feasible though. But you can read about how Plex solved this issue here - How Plex is doing HTTPS for all its users

I obviously don’t expect WD to expend any effort here. They’ve shown time and time again they’re content exposing customers to known risks for indefinite period of time.

EdithKain · April 1, 2017, 6:26pm

I think their security model is ignoring vulnerability disclosures and pointing fingers when it becomes news. Whatever process or model they have isn’t working if they aren’t fixing responsibly disclosed vulnerabilities after 2 years. So much fail.