Major security vulnerability/exploitation discovered

Hi All,

Recently came across this article: https://www.theregister.co.uk/AMP/2018/01/08/wd_mycloud_nas_backdoor/

I have the WD My Cloud Mirror (gen1) and this seems to be an issue. The article references a firmware version that does not exist for this device. My firmware version is 2.11.168 - which is also the same downloadable version on WD’s site. What can we do to fix/patch this vulnerability! This is a huge concern.

I want to know about this as well. I have a WD MyCloud Mirror, and I can only update to 2.11.168 - updating to 2.30.174 is not available for my device.

WD - this is incredibly disappointing. You knew about this months ago. A fix should have been issued by now.

2.30.174 is for My Cloud EX2 Ultra Only
2.30.172 is for all other affected My Cloud.

I checked this morning for a software update for my MyCloud Mirror. 2.30.172
is not an option as an update. 2.11.168 is as high as WD offers.

Mirror Gen2 = 2.30.172
Mirror Gen1 = 2.11.168

Ok… So is the issue patched in that release on my device?

Dear SBrown,

Thank you for providing us with the latest patched firmware version 2.30.172. In a later post, dswv42 said “Other vulnerabilities were previously reported too. Some have been patched, others have not.” This could be a very objective statement, but does not give users peace of mind. Could you highlight the known critical vulnerabilities so far? I guess ordinary users do not need to shut down the My Cloud devices. But we would like to understand the extent of vulnerability.

I still feel sitting behind the home router, the device’s IP is hidden.

Thank you.

Hi @WD_Admin2 - thanks for the update. However, it says in the post:

"…if the My Cloud owner has enabled Dashboard Cloud Access (certain models*) or enabled additional port forwarding to such My Cloud devices. To mitigate this issue, we strongly recommend that My Cloud owners who have made such changes disable the Dashboard Cloud Access and ensure their router and My Cloud device are secure by disabling additional port-forwarding functionalities. "

How is this acceptable? This is one of the core functionalities of the WD My Cloud Mirror. The fact that “cloud” is in the name of the device, it implies that one should be able to access it from the cloud. With the directive to disable Dashboard Cloud Access and to remove port forwarding, it is single handedly cauterizing the fundamental functions of this device. By doing so, we are converting this into a simple NAS volume. I could have paid far less if all I was going to get was a simple, LAN-access only NAS device.

Furthermore, the post states:

We are working on a firmware update for this issue and will make it available on our support download site as soon as possible.

Can you provide parameters for what would be deemed an acceptable amount of time which satisfies “as soon as possible” ? A week? A month? A year? How long should we wait for a firmware update from WD to patch a vulnerability that was:

  1. Patched by D-Link back in July 2014 on the DNS-320L model, from which WD ripped-off the source code (why didn’t WD patch the vulnerability after D-Link released the patch?) (Source)

  2. Was disclosed to WD in June 2017, was confirmed by WD that the vulnerabilities exist, and committed to resolving the issue within 90 days, and failed to be patched by Jan 3, 2018 - nearly 180 days from when you acknowledged the vulnerability. (Source)

It appears that this exploit didn’t deserve WD’s serious attention until it made it into the media. That is irresponsible and unacceptable accountability from a company that apparently has “…the best selling NAS (network attached storage) device listed on the amazon.com website…” (Source).

What do you have to say for yourselves?

Do we have any updates on this? Are there still known security issues with these devices?

I have a MyCloud NAS, it has been disconnected and powered off for over a year due to security concerns.

This is the third WD NAS I have owned and the second MyCloud. As a repeat customer I find this whole issue more than a little off putting.

Can someone please post an update of where we are in late 2019?

i just joined the forum because of this exploit i think it is still there and it’s very concerning does anyone know any other things i could use for NAS instead of mycloud this is very serious

I took one of my older ‘MyCloud’ drives apart, bought USB3 housings and have them mounted directly as USB3 external drives, cost around £25 for the pair. I now use these for backups instead of my second NAS. To be fair they are faster, more reliable and are not internet connected so it’s a win so far but doesn’t say much for the merits of NAS.

Hmmmm WD, first you mess up with security issues, then you fail to patch for years, you fail to respond to questions, you force your loyal customers to butcher your own drives to avoid security issues… one would think you are seriously trying to damage your own business!

Come on WD, it doesn’t matter so much that your patches are not ready yet but it does matter ignoring your customers or keeping them in the dark.

If this doesn’t get sorted soon I will never buy another WD device and will be flogging my second WD NAS for cheap on eBay…