My Cloud Vulnerability Comparison

dswv42 · January 7, 2018, 1:35pm

Recent My Cloud vulnerabilities were reported by GulfTech, as shown in their report linked below.

http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125

This case is particularly confusing because a number of products are listed as being vulnerable, yet available evidence seems to indicate that at least one reported vulnerability (backdoor) may not apply to all devices and/or firmware versions. To attempt to clear up some confusion, I downloaded and directly examined recent firmware bin files for various My Cloud models to see if vulnerable files are present.

DISCLAIMER: No attempt was made to reproduce and/or verify reported vulnerabilities, only that vulnerable files and/or code is present as reported. The following results are believed to be accurate, but mistakes can happen, so users should always perform their own verification regardless.

###########################################################################
#             WDMyCloud <= 2.30.165 Multiple Vulnerabilities              #
###########################################################################

Released Date: 2018-01-04
Last Modified: 2017-06-11
 Company Info: Western Digital
 Version Info: 
              Vulnerable
               MyCloud 
               MyCloudMirror 
               My Cloud Gen 2
               My Cloud PR2100
               My Cloud PR4100
               My Cloud EX2 Ultra
               My Cloud EX2
               My Cloud EX4
               My Cloud EX2100
               My Cloud EX4100
               My Cloud DL2100
               My Cloud DL4100

              Not Vulnerable
               MyCloud 04.X Series
               MyCloud 2.30.174

01 - Unrestricted file upload (CVE-2017-17560)

/usr/local/modules/web/pages/jquery/uploader/multi_uploadify.php

My Cloud Gen 2 - My_Cloud_GLCR_2.30.165.bin (vulnerable)
My Cloud Gen 2 - My_Cloud_GLCR_2.30.172.bin (vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.165.bin (vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.172.bin (vulnerable)
EX2 - My_Cloud_KC2A_2.11.168.bin (vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.165.bin (vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.174.bin (vulnerable)
EX4 - My_Cloud_LT4A_2.11.168.bin (vulnerable)
EX2100 - My_Cloud_EX2100_2.30.165.bin (vulnerable)
EX2100 - My_Cloud_EX2100_2.30.172.bin (vulnerable)
EX4100 - My_Cloud_EX4100_2.30.165.bin (vulnerable)
EX4100 - My_Cloud_EX4100_2.30.172.bin (vulnerable)
DL2100 - My_Cloud_DL2100_2.30.165.bin (vulnerable)
DL2100 - My_Cloud_DL2100_2.30.172.bin (vulnerable)
DL4100 - My_Cloud_DL4100_2.30.165.bin (vulnerable)
DL4100 - My_Cloud_DL4100_2.30.172.bin (vulnerable)
PR2100 - My_Cloud_PR2100_2.30.165.bin (vulnerable)
PR2100 - My_Cloud_PR2100_2.30.172.bin (vulnerable)
PR4100 - My_Cloud_PR4100_2.30.165.bin (vulnerable)
PR4100 - My_Cloud_PR4100_2.30.172.bin (vulnerable)

02 - Hard coded backdoor

/usr/local/modules/cgi/nas_sharing.cgi

My Cloud Gen 2 - My_Cloud_GLCR_2.30.165.bin (vulnerable)
My Cloud Gen 2 - My_Cloud_GLCR_2.30.172.bin (not vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.165.bin (vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.172.bin (not vulnerable)
EX2 - My_Cloud_KC2A_2.11.168.bin (not vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.165.bin (vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.174.bin (not vulnerable)
EX4 - My_Cloud_LT4A_2.11.168.bin (not vulnerable)
EX2100 - My_Cloud_EX2100_2.30.165.bin (vulnerable) <-- Not a Mistake
EX2100 - My_Cloud_EX2100_2.30.172.bin (not vulnerable)
EX4100 - My_Cloud_EX4100_2.30.165.bin (not vulnerable)
EX4100 - My_Cloud_EX4100_2.30.172.bin (not vulnerable)
DL2100 - My_Cloud_DL2100_2.30.165.bin (not vulnerable)
DL2100 - My_Cloud_DL2100_2.30.172.bin (not vulnerable)
DL4100 - My_Cloud_DL4100_2.30.165.bin (not vulnerable)
DL4100 - My_Cloud_DL4100_2.30.172.bin (not vulnerable)
PR2100 - My_Cloud_PR2100_2.30.165.bin (not vulnerable)
PR2100 - My_Cloud_PR2100_2.30.172.bin (not vulnerable)
PR4100 - My_Cloud_PR4100_2.30.165.bin (not vulnerable)
PR4100 - My_Cloud_PR4100_2.30.172.bin (not vulnerable)

03.1 - Cross site request forgery

/usr/local/modules/web/pages/dsdk/DsdkProxy.php

My Cloud Gen 2 - My_Cloud_GLCR_2.30.165.bin (vulnerable)
My Cloud Gen 2 - My_Cloud_GLCR_2.30.172.bin (vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.165.bin (vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.172.bin (vulnerable)
EX2 - My_Cloud_KC2A_2.11.168.bin (vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.165.bin (vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.174.bin (vulnerable)
EX4 - My_Cloud_LT4A_2.11.168.bin (vulnerable)
EX2100 - My_Cloud_EX2100_2.30.165.bin (vulnerable)
EX2100 - My_Cloud_EX2100_2.30.172.bin (vulnerable)
EX4100 - My_Cloud_EX4100_2.30.165.bin (vulnerable)
EX4100 - My_Cloud_EX4100_2.30.172.bin (vulnerable)
DL2100 - My_Cloud_DL2100_2.30.165.bin (vulnerable)
DL2100 - My_Cloud_DL2100_2.30.172.bin (vulnerable)
DL4100 - My_Cloud_DL4100_2.30.165.bin (vulnerable)
DL4100 - My_Cloud_DL4100_2.30.172.bin (vulnerable)
PR2100 - My_Cloud_PR2100_2.30.165.bin (vulnerable)
PR2100 - My_Cloud_PR2100_2.30.172.bin (vulnerable)
PR4100 - My_Cloud_PR4100_2.30.165.bin (vulnerable)
PR4100 - My_Cloud_PR4100_2.30.172.bin (vulnerable)

03.2 - Command injection

Too many vulnerable files to list.

My Cloud Gen 2 - My_Cloud_GLCR_2.30.165.bin (vulnerable)
My Cloud Gen 2 - My_Cloud_GLCR_2.30.172.bin (vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.165.bin (vulnerable)
My Cloud Mirror Gen 2 - My_Cloud_BWVZ_2.30.172.bin (vulnerable)
EX2 - My_Cloud_KC2A_2.11.168.bin (vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.165.bin (vulnerable)
EX2 Ultra - My_Cloud_BVBZ_2.30.174.bin (vulnerable)
EX4 - My_Cloud_LT4A_2.11.168.bin (vulnerable)
EX2100 - My_Cloud_EX2100_2.30.165.bin (vulnerable)
EX2100 - My_Cloud_EX2100_2.30.172.bin (vulnerable)
EX4100 - My_Cloud_EX4100_2.30.165.bin (vulnerable)
EX4100 - My_Cloud_EX4100_2.30.172.bin (vulnerable)
DL2100 - My_Cloud_DL2100_2.30.165.bin (vulnerable)
DL2100 - My_Cloud_DL2100_2.30.172.bin (vulnerable)
DL4100 - My_Cloud_DL4100_2.30.165.bin (vulnerable)
DL4100 - My_Cloud_DL4100_2.30.172.bin (vulnerable)
PR2100 - My_Cloud_PR2100_2.30.165.bin (vulnerable)
PR2100 - My_Cloud_PR2100_2.30.172.bin (vulnerable)
PR4100 - My_Cloud_PR4100_2.30.165.bin (vulnerable)
PR4100 - My_Cloud_PR4100_2.30.172.bin (vulnerable)

The status of other firmware versions and/or reported vulnerabilities is unknown.

Tfl · January 7, 2018, 6:44pm

Thanks for the overview.
The command injection is post auth, but it can be any user without admin rights, correct?

WD_MCH · January 11, 2018, 3:56pm

WD_MCH · January 12, 2018, 11:24pm

I just wanted to update you all on this issue. We have released a new FW available today for manual download and installation. It will be available for pushed OTA FW update next week. Please see the post below.