I have the WD My Cloud Mirror (gen1) and this seems to be an issue. The article references a firmware version that does not exist for this device. My firmware version is 2.11.168 - which is also the same downloadable version on WD’s site. What can we do to fix/patch this vulnerability! This is a huge concern.
Thank you for providing us with the latest patched firmware version 2.30.172. In a later post, dswv42 said “Other vulnerabilities were previously reported too. Some have been patched, others have not.” This could be a very objective statement, but does not give users peace of mind. Could you highlight the known critical vulnerabilities so far? I guess ordinary users do not need to shut down the My Cloud devices. But we would like to understand the extent of vulnerability.
I still feel sitting behind the home router, the device’s IP is hidden.
Hi @WD_MCH - thanks for the update. However, it says in the post:
"…if the My Cloud owner has enabled Dashboard Cloud Access (certain models*) or enabled additional port forwarding to such My Cloud devices. To mitigate this issue, we strongly recommend that My Cloud owners who have made such changes disable the Dashboard Cloud Access and ensure their router and My Cloud device are secure by disabling additional port-forwarding functionalities. "
How is this acceptable? This is one of the core functionalities of the WD My Cloud Mirror. The fact that “cloud” is in the name of the device, it implies that one should be able to access it from the cloud. With the directive to disable Dashboard Cloud Access and to remove port forwarding, it is single handedly cauterizing the fundamental functions of this device. By doing so, we are converting this into a simple NAS volume. I could have paid far less if all I was going to get was a simple, LAN-access only NAS device.
Furthermore, the post states:
We are working on a firmware update for this issue and will make it available on our support download site as soon as possible.
Can you provide parameters for what would be deemed an acceptable amount of time which satisfies “as soon as possible” ? A week? A month? A year? How long should we wait for a firmware update from WD to patch a vulnerability that was:
Patched by D-Link back in July 2014 on the DNS-320L model, from which WD ripped-off the source code (why didn’t WD patch the vulnerability after D-Link released the patch?) (Source)
Was disclosed to WD in June 2017, was confirmed by WD that the vulnerabilities exist, and committed to resolving the issue within 90 days, and failed to be patched by Jan 3, 2018 - nearly 180 days from when you acknowledged the vulnerability. (Source)
It appears that this exploit didn’t deserve WD’s serious attention until it made it into the media. That is irresponsible and unacceptable accountability from a company that apparently has “…the best selling NAS (network attached storage) device listed on the amazon.com website…” (Source).
I took one of my older ‘MyCloud’ drives apart, bought USB3 housings and have them mounted directly as USB3 external drives, cost around £25 for the pair. I now use these for backups instead of my second NAS. To be fair they are faster, more reliable and are not internet connected so it’s a win so far but doesn’t say much for the merits of NAS.
Hmmmm WD, first you mess up with security issues, then you fail to patch for years, you fail to respond to questions, you force your loyal customers to butcher your own drives to avoid security issues… one would think you are seriously trying to damage your own business!
Come on WD, it doesn’t matter so much that your patches are not ready yet but it does matter ignoring your customers or keeping them in the dark.
If this doesn’t get sorted soon I will never buy another WD device and will be flogging my second WD NAS for cheap on eBay…