My Cloud Security


WD should update some of the packages here (OpenSSL, Samba, sqlite…)

||/ Name Version Architecture Description

ii afp 03.01.07-ac5ffd5 armhf Afp service configuration - netatalk
ii alerts 02.00.00-5972515 all WD alert definition and scripts
ii apache-php-webdav 02.00.01-dfafb9b all Apache, php, webdav, with WD configuration
ii apache2 2.4.10-10+deb8u3 armhf Apache HTTP Server
ii apache2-bin 2.4.10-10+deb8u3 armhf Apache HTTP Server (modules and other binary files)
ii apache2-data 2.4.10-10+deb8u3 all Apache HTTP Server (common files)
ii apache2-mpm-prefork 2.4.10-10+deb8u3 armhf transitional prefork MPM package for apache2
ii apache2-utils 2.4.10-10+deb8u3 armhf Apache HTTP Server (utility programs for web servers)
ii openssh-client 1:6.0p1-4 armhf secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:6.0p1-4 armhf secure shell (SSH) server, for secure access from remote machines
ii openssl 1.0.1m-1 armhf Secure Sockets Layer toolkit - cryptographic utility
ii openvpn 2.2.1-8+deb7u2 armhf virtual private network daemon
ii paragon-ufsd 08.05.01-bebc03c armhf Paragon ufsd (NTFS/HFS+/J file system driver)
ii parted 2.3-12 armhf disk partition manipulator
ii passwd 1: armhf change and administer password and group data
ii perl 5.14.2-21 armhf Larry Wall’s Practical Extraction and Report Language
ii perl-base 5.14.2-21 armhf minimal Perl system
ii perl-modules 5.14.2-21 all Core Perl modules
ii php-apc 4.0.4-1 all APC User Cache for PHP 5 (transitional package)
ii php5-apcu 4.0.7-1 armhf APC User Cache for PHP 5
ii php5-cli 5.6.7+dfsg-1 armhf command-line interpreter for the php5 scripting language
ii php5-common 5.6.7+dfsg-1 armhf Common files for packages built from the php5 source
ii php5-curl 5.6.7+dfsg-1 armhf CURL module for php5
ii php5-json 1.3.6-1 armhf JSON module for php5
ii php5-sqlite 5.6.7+dfsg-1 armhf SQLite module for php5
ii procps 1:3.3.3-3 armhf /proc file system utilities
ii psmisc 22.20-1 armhf utilities that use the proc file system
ii python 2.7.3-4+deb7u1 all interactive high-level object-oriented language (default version)
ii python-minimal 2.7.3-4+deb7u1 all minimal subset of the Python language (default version)
ii python2.7 2.7.3-6 armhf Interactive high-level object-oriented language (version 2.7)
ii python2.7-minimal 2.7.3-6 armhf Minimal subset of the Python language (version 2.7)
ii samba-common 2:3.6.6-6+deb7u1 all common files used by both the Samba server and client
ii samba-common-bin 2:3.6.6-6+deb7u1 armhf common files used by both the Samba server and client
ii sed 4.2.1-10 armhf The GNU sed stream editor
ii sensible-utils 0.0.7 all Utilities for sensible alternative selection
ii sg3-utils 1.33-1 armhf utilities for devices using the SCSI command set
ii smartmontools 5.41+svn3365-1 armhf control and monitor storage systems using S.M.A.R.T.
ii smb-file 01.00.00-a53eca3 armhf SMB implementation. currently using Samba
ii smbclient 2:3.6.6-6+deb7u1 armhf command-line SMB/CIFS clients for Unix
ii sq 04.04.02-105 armhf Sequoia project package
ii sqlite3 armhf Command line interface for SQLite 3
ii strace 4.5.20-2.3 armhf A system call tracer
ii strings 01.00.00-8ada46d all localization strings
ii sudo 1.8.5p2-1+nmu1 armhf Provide limited super user privileges to specific users
ii sysstat 10.0.5-1 armhf system performance tools for Linux
ii sysv-rc 2.88dsf-41 all System-V-like runlevel change mechanism
ii sysvinit 2.88dsf-41 armhf System-V-like init utilities
ii sysvinit-utils 2.88dsf-41 armhf System-V-like utilities
ii tar 1.26+dfsg-0.1 armhf GNU version of the tar archiving utility

thank you!

Have you contacted WD directly? This forum is primarily a user to user support forum. Per this thread, WD has stated the following; “We encourage all security researchers to report potential security vulnerabilities or concerns to WD Customer Service and Support at”.

Hi Bennor,

I did this in the past. After >20 e-mails, I was offered a refund. But I wanted an update.
maybe you could you please pass this to the correct department? I am sure this would be faster.

I cannot “pass” anything along as I and most others here do not work for WD. As explained this is primarily a user to user support forum and most, including myself, are mere customers who came here for one reason or another and have stayed to help others with their issues and learn more about the My Cloud.

Any User Forum is just end-user to end-user assistance, for any vendor.
We are all just regular users trying to help other users.

If you actually want WD support, contact them directly.

Hey Guys,

The moderators saw and passed this along. They are looking into it. @d-fens, have they contacted you yet?

I think d-fens’ request is pretty clear from the OP: update to the latest packages at the next firmware release. I’m sure your security guys are constantly tracking security updates to Debian… <snorts in derision…>


they already contacted me, and I send them three very well documented vulnerabilities as an example.
I hope there will be a new firmware soon, maybe with a public share that can be disabled :joy: this one is a real classic for some years now :smiley:

Thank you for bringing it to our attention. We do take any security vulnerability seriously. Just keep in mind that it does take time to go through the process.

2 months have passed, and still no update.
to be honest, it’s useless to share details with support - they don’t do anything as long as everything works. the target audience for these devices thinks their files are more secure on their my cloud in comparison to, let’s say, dropbox :smile: connected to misconfigured SoHo-routers… :confused:
but right there are more hardware releases than software releases :sob:
this saddens me, the hardware is great and I like the design of the mobile apps, but without a firmware that is up-to-date… :frowning:

Guessing your oday didnt pan out?

WD updated many packages, that’s the minimum I wanted:

the linux kernel, Apache, PHP, OpenSSL, OpenSSH, libupnp, jQuery, Samba

Some of these update fixed 0 days

Friend I got ptrace from 2.35.* still isnt patched… please remove Linux Kernel from your patched files? Just kidding… Team Teso!!! 4 Life