I came across this story today about a major security concern for My Cloud devices. This backdoor allows root access through the internet:
Uses username mydlinkBRionyg and password abc12345cba and apparently has not been patched, despite being known for over 6 months.
When will this be patched, and what is the official recommendation until it has been patched to keep our data secure?
Here is a link to the GulfTech article that outlines several security issues with the My Cloud devices, including the backdoor:
The tatest firmware update Still have This critical security issue.
It’s urgent a fix for This. The customers trust in WD, until now.
How can WD live with This?
My EX2 Ultra will be unplugged until WD comes back with a satisfactory solution or response clearly indicating why the report is incorrect or does not apply to this model. Considering WD’s superb QA on the hardware side, it’s really disappointing to see how poor it is on the software side, especially as it relates to end-user data security. On top of that, it looks as if the staff copied dlink code. It just looks terribly sloppy and I don’t know if I should place any trust in this brand anymore. Too bad…
In the meantime, is there any way to use this device without network access? Is there a way to access the files directly through USB?
Guys, can you test what happens if you try to login to a firmware with version equal or lower than 2.30.165 with username mydlinkBRionyg and password abc12345cba ?
Because on version 2.30.174 it doesn’t work.
You do not log into the user login with the credentials. What you do is visit a URI like the one below, or have an internet exposed NAS:
You will know you are vulnerable if a file exists in /tmp/ named “gulftech”
WDMyCloud <= 2.30.165 is vulnerable. 2.30.174 is not.
Thank you for clarification!
So did 2.30.174 patch all those discovered vulnerabilities? For me this is not 100% clear from reading the changelog:
- Resolved SMB server (samba) security vulnerability (CVE-2017-7494) - Malicious clients can upload and cause the SMB server to execute a shared library from a writable share.
- Resolved critical security vulnerabilities that potentially allowed unauthorized file deletion, unauthorized command execution and authentication bypass.
- Improved Cloud Access connectivity from the device.
01 - Unrestricted file upload
01.1 - Vulnerable code analysis
01.2 - Remote exploitation
02 - Hard coded backdoor
02.1 - Vulnerable code analysis
02.2 - Remote exploitation
03 - Miscellaneous security issues
03.1 - Cross site request forgery
03.2 - Command injection
03.3 - Denial of service
03.4 - Information disclosure
Thank you for your effort. This is a never-ending nightmare and the situation is still confusing to me. Spending my sunday afternoon, trying to figure out how big of a risk there is to my data.
Gulftech.org now added 2.30.174 as “not vulnerable” ? However on 2.30.174 some things still look unpatched:
01 - Unrestricted file upload -> Content of multi_uploadify.php looks unchanged to me / probably vulnerable
02 - Hard coded backdoor -> Were not able to reproduce / probably not vulnerable
03.1 - Cross site request forgery -> Were not able to reproduce / probably not vulnerable
03.2 - Command injection -> no idea
03.3 - Denial of service -> Reproducable / vulnerable
03.4 - Information disclosure -> Reproducable / vulnerable
Created a support case with WD to get an official feedback. After creation I got the message “You will love your WD product”. No words for this.
What about they firmware 2.11.168 of Mycloud EX2?
Sooooo Whats the point WD guys??? Fix this thing quick!!
When will this critical security issues be fixed on the EX2 ? they are still exploitable. I am alarmed by this carelessness leaving thousands of WD devices exploitable… This is not how you should treat your customers.