Moving this info here from the other thread.
The National Vulnerability Database lists CVE-2017-17560 (12/12/2017) as Critical (9.8 out of 10.0).
see NVD - CVE-2017-17560
This clarifies that the latest firmware (v2.30.172 11/16/17) contains serious vulnerabilities.
What it isn’t clear to me is
- if CVE-2017-17560 is a Gulftech vulnerability (or a variant)
- if v2.30.172 firmware repaired any of the other Gulftech vulnerabilities (ie: hardcoded backdoor)
I’ve seen one independent researcher demonstrating the backdoor was still present in v2.30.172 but I can’t find any confirmation - so it’s just a rumor for now.
Either way, we are lacking on specifics and what we do know didn’t come from WD but 3rd parties.
I do get that the Gulftech report got traction on a Friday but word of these exploits goes back to at least March 2017 & WD has been aware of the Gulftech report since June 2017.
It may be reasonable that patch development is taking longer than expected. However I can’t come up with a reasonable explanation why WD doesn’t have explanations ready for the train wreck they’ve know was coming for months.
Right now, the vibe feels like WD’s CS team had no idea these security holes were even in play. I hope the next thing they do is fully own up to the issues, expand on what the issues are and lay out a constantly updating timetable for patching.
