My EX2 Ultra will be unplugged until WD comes back with a satisfactory solution or response clearly indicating why the report is incorrect or does not apply to this model. Considering WDâs superb QA on the hardware side, itâs really disappointing to see how poor it is on the software side, especially as it relates to end-user data security. On top of that, it looks as if the staff copied dlink code. It just looks terribly sloppy and I donât know if I should place any trust in this brand anymore. Too badâŠ
In the meantime, is there any way to use this device without network access? Is there a way to access the files directly through USB?
Guys, can you test what happens if you try to login to a firmware with version equal or lower than 2.30.165 with username mydlinkBRionyg and password abc12345cba ?
Hi,
Thank you for clarification!
So did 2.30.174 patch all those discovered vulnerabilities? For me this is not 100% clear from reading the changelog:
Resolved SMB server (samba) security vulnerability (CVE-2017-7494) - Malicious clients can upload and cause the SMB server to execute a shared library from a writable share.
Resolved critical security vulnerabilities that potentially allowed unauthorized file deletion, unauthorized command execution and authentication bypass.
Improved Cloud Access connectivity from the device.
Thank you for your effort. This is a never-ending nightmare and the situation is still confusing to me. Spending my sunday afternoon, trying to figure out how big of a risk there is to my data.
Gulftech.org now added 2.30.174 as ânot vulnerableâ ? However on 2.30.174 some things still look unpatched:
01 - Unrestricted file upload â Content of multi_uploadify.php looks unchanged to me / probably vulnerable
02 - Hard coded backdoor â Were not able to reproduce / probably not vulnerable
03.1 - Cross site request forgery â Were not able to reproduce / probably not vulnerable
03.2 - Command injection â no idea
03.3 - Denial of service â Reproducable / vulnerable
03.4 - Information disclosure â Reproducable / vulnerable
Created a support case with WD to get an official feedback. After creation I got the message âYou will love your WD productâ. No words for this.
When will this critical security issues be fixed on the EX2 ? they are still exploitable. I am alarmed by this carelessness leaving thousands of WD devices exploitable⊠This is not how you should treat your customers.