Good that this was broken out into a seperate discussion from the older Exploitee discussion of past threads.
Sadly this is par for the course with WD firmware coding. They took multiple months to issue a fix for the Exploitee mentioned vulnerability last year. Would guess WD typically sticks to their standard firmware release timeline rather than issue a special firmware release to fix one specific vulnerability or issue. However with the severity of this vulnerability (like the ability to delete the entire My Cloud contents from one command) I would hope they’d make an exception and issue a fix ASAP to those units affected by the this vulnerability…
It’s not really even much to do with their coding. More to do with them getting the patched versions of the vulnerable packages from the nice open source community people who fix the vulnerabilities pretty quickly, and re-building the firmware. They don’t even seem to be able to do that in a timely manner.
This clarifies that the latest firmware (v2.30.172 11/16/17) contains serious vulnerabilities.
What it isn’t clear to me is
if CVE-2017-17560 is a Gulftech vulnerability (or a variant)
if v2.30.172 firmware repaired any of the other Gulftech vulnerabilities (ie: hardcoded backdoor)
I’ve seen one independent researcher demonstrating the backdoor was still present in v2.30.172 but I can’t find any confirmation - so it’s just a rumor for now.
Either way, we are lacking on specifics and what we do know didn’t come from WD but 3rd parties.
I do get that the Gulftech report got traction on a Friday but word of these exploits goes back to at least March 2017 & WD has been aware of the Gulftech report since June 2017.
It may be reasonable that patch development is taking longer than expected. However I can’t come up with a reasonable explanation why WD doesn’t have explanations ready for the train wreck they’ve know was coming for months.
Right now, the vibe feels like WD’s CS team had no idea these security holes were even in play. I hope the next thing they do is fully own up to the issues, expand on what the issues are and lay out a constantly updating timetable for patching.
I especially enjoyed when I logged into my own MyCloud device today to see that a Firmware Update was available! “They fixed it!”, I foolishly thought. They updated my device to a lesser version than the firmware which Gulftech states fixes these problems (Upgrade firmware to version 2.30.174)…not sure I was upgraed to… and surely enough I SSH’d in to check the source code of the vulnerability to find THEY ARE STILL THERE.
It’s seriously a few line PHP change, Western Digital. I was going to patch this myself this morning but figured no thanks, I’d rather unplug my device and buy a completely new product that takes security seriously.
The problem with some or most of the vulnerabilities with the My Cloud firmware is that one can use a computer or mobile device on the local network to access a web page on the internet that could potentially issue the code to trigger the vulnerability.
So yes, with remote access turn off and FTP turn off it should be immune from direct attack from the internet. But that doesn’t stop the attack vector through a computer’s web browser on the local network. As always one should practice good safe web surfing habits and ensure their PC and security software on that PC is up to date.
There are probably additional steps one could try and take on the local network, like segmenting the network, modifying the My Cloud firmware through SSH, etc. that may help limit (but not totally eliminate) the potential for this latest vulnerability announcement.
“UPDATE: In a blog post, Western Digital says all issues reported by GulfTech were fixed in firmware version 2.30.172, and not 2.30.174, as Bercegay claimed.”
Per the WD blog link:
“These had been disclosed by a security researcher directly with our team in 2017, and critical issues mentioned in these recent articles (gulftech.org; thehackernews.com) were addressed in 2017 with firmware update v2.30.172 and above. Minor issues are being addressed in future updates. Additionally, the My Cloud Home model architecturally is designed new from the ground up and we are not aware of any vulnerability to the security issues listed in the respective reports.”
a) why are WD not reporting things like that on this forum (or directed emails)? I have enough trouble keeping up with what is posted here, never mind in some random corporate blog
b) why do WD not identify the specific CVE vulnerabilities that they have addressed, as part of their firmware release documentation?
It’s all rather a shambolic approach to customer communication, isn’t it…?
They did. But that’s just one out the the large number of identified vulnerabilities…
It would be nice if they had a page, somewhere, that showed the status of identified and disclosed vulnerabilities, and their current status: identified, acknowledged, in progress (expected roll-out date), fixed (release version & date), etc. Plus suggested severity & mitigation until patched.
It might give us customers a warmer feeling…
Often, we have to remind them to post a firmware release message here…
Likewise. Their track record on communicating and addressing security concerns is very poor, and I doubt it’s going to change any time soon. The only thing that might is if there is a very significant outbreak of actual exploits, and they have to do some serious corporate image reconstruction. Which I hope never happens…