Multiple serious vulnerabilitys including Backdoor etc. as disclosed by gulftech.org

As statet here:

http://www.gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125

there are multiple serious vulnerabilitys in several McCloud Products. Including a Backdoor with hardcoded credentials for root access.

It is highly advised to disconnect the devices from the net.

Please read this posting as well as there is more information available. I just created this new topic as was adived in the old one.

1 Like

Good that this was broken out into a seperate discussion from the older Exploitee discussion of past threads.

Sadly this is par for the course with WD firmware coding. They took multiple months to issue a fix for the Exploitee mentioned vulnerability last year. Would guess WD typically sticks to their standard firmware release timeline rather than issue a special firmware release to fix one specific vulnerability or issue. However with the severity of this vulnerability (like the ability to delete the entire My Cloud contents from one command) I would hope they’d make an exception and issue a fix ASAP to those units affected by the this vulnerability…

It’s not really even much to do with their coding. More to do with them getting the patched versions of the vulnerable packages from the nice open source community people who fix the vulnerabilities pretty quickly, and re-building the firmware. They don’t even seem to be able to do that in a timely manner.

Moving this info here from the other thread.

The National Vulnerability Database lists CVE-2017-17560 (12/12/2017) as Critical (9.8 out of 10.0).
see NVD - CVE-2017-17560

This clarifies that the latest firmware (v2.30.172 11/16/17) contains serious vulnerabilities.

What it isn’t clear to me is

  • if CVE-2017-17560 is a Gulftech vulnerability (or a variant)
  • if v2.30.172 firmware repaired any of the other Gulftech vulnerabilities (ie: hardcoded backdoor)

I’ve seen one independent researcher demonstrating the backdoor was still present in v2.30.172 but I can’t find any confirmation - so it’s just a rumor for now.

Either way, we are lacking on specifics and what we do know didn’t come from WD but 3rd parties.
I do get that the Gulftech report got traction on a Friday but word of these exploits goes back to at least March 2017 & WD has been aware of the Gulftech report since June 2017.

It may be reasonable that patch development is taking longer than expected. However I can’t come up with a reasonable explanation why WD doesn’t have explanations ready for the train wreck they’ve know was coming for months.

Right now, the vibe feels like WD’s CS team had no idea these security holes were even in play. I hope the next thing they do is fully own up to the issues, expand on what the issues are and lay out a constantly updating timetable for patching.

1 Like

I especially enjoyed when I logged into my own MyCloud device today to see that a Firmware Update was available! “They fixed it!”, I foolishly thought. They updated my device to a lesser version than the firmware which Gulftech states fixes these problems (Upgrade firmware to version 2.30.174)…not sure I was upgraed to… and surely enough I SSH’d in to check the source code of the vulnerability to find THEY ARE STILL THERE.

It’s seriously a few line PHP change, Western Digital. I was going to patch this myself this morning but figured no thanks, I’d rather unplug my device and buy a completely new product that takes security seriously.

1 Like

Does someone know if it’s secure enough to just use the device within local LAN and giving the WD device no access to the internet?
For example via Router driven restrictions.

The problem with some or most of the vulnerabilities with the My Cloud firmware is that one can use a computer or mobile device on the local network to access a web page on the internet that could potentially issue the code to trigger the vulnerability.

So yes, with remote access turn off and FTP turn off it should be immune from direct attack from the internet. But that doesn’t stop the attack vector through a computer’s web browser on the local network. As always one should practice good safe web surfing habits and ensure their PC and security software on that PC is up to date.

There are probably additional steps one could try and take on the local network, like segmenting the network, modifying the My Cloud firmware through SSH, etc. that may help limit (but not totally eliminate) the potential for this latest vulnerability announcement.

Looks like they may have fixed the problem.

Per that link:

“UPDATE: In a blog post, Western Digital says all issues reported by GulfTech were fixed in firmware version 2.30.172, and not 2.30.174, as Bercegay claimed.”

Per the WD blog link:

“These had been disclosed by a security researcher directly with our team in 2017, and critical issues mentioned in these recent articles (gulftech.org; thehackernews.com) were addressed in 2017 with firmware update v2.30.172 and above. Minor issues are being addressed in future updates. Additionally, the My Cloud Home model architecturally is designed new from the ground up and we are not aware of any vulnerability to the security issues listed in the respective reports.”

Which begs the questions:

a) why are WD not reporting things like that on this forum (or directed emails)? I have enough trouble keeping up with what is posted here, never mind in some random corporate blog
b) why do WD not identify the specific CVE vulnerabilities that they have addressed, as part of their firmware release documentation?

It’s all rather a shambolic approach to customer communication, isn’t it…?

1 Like

I appreciate users here clarifying this mess.

What’s left is CVE-2017-17560 vulnerability in firmware 2.30.172.

The vulnerability was found thru testing on a MyCloud PR4100.
I don’t know if this means that every device with v2.30.172 firmware is affected or not.

To be fair, WD did specifically state they patched CVE-2017-7494 in 2.30.172 and 04.05.00-320:

Release Notes 2.30.172
Release Notes 04.05.00-320

  • Resolved SMB server (samba) security vulnerability (CVE-2017-7494) - Malicious clients can upload and cause the SMB server to execute a shared library from a writable share.
1 Like

Was only posting to indicate WD did indicate a specific CVE in the realease notes, not that it was actually fixed.

Obviously these devices need to be retested to ensure WD actually has plugged the vulnerability.

They did. But that’s just one out the the large number of identified vulnerabilities…

It would be nice if they had a page, somewhere, that showed the status of identified and disclosed vulnerabilities, and their current status: identified, acknowledged, in progress (expected roll-out date), fixed (release version & date), etc. Plus suggested severity & mitigation until patched.

It might give us customers a warmer feeling…

Often, we have to remind them to post a firmware release message here…

Likewise. Their track record on communicating and addressing security concerns is very poor, and I doubt it’s going to change any time soon. The only thing that might is if there is a very significant outbreak of actual exploits, and they have to do some serious corporate image reconstruction. Which I hope never happens…