MyCloud Exploit / Backdoor


#1

Hi,

Is anyone from Western Digital able to comment on this exploit / backdoor which was recently published ?

The explanation in here especially is scary :
http://gulftech.org/advisories/WDMyCloud%20Multiple%20Vulnerabilities/125

Cheers,

JediNite


#2

Link in another WD forum:


#3

And another:


#4

Please check this updated communications
https://blog.westerndigital.com/western-digital-cloud-update/


#5

It’s a bit vague, to say the least.

Previously reported security vulnerabilities related to certain My Cloud products had been disclosed by a security researcher directly with our team in 2017, and critical issues mentioned in these recent articles (gulftech.org; thehackernews.com) were addressed in 2017 with firmware update v2.30.172 and above. Other issues are being addressed in future updates.

Which specific “critical issues” were addressed with firmware update v2.30.172? What “other issues” remain unaddressed and are still vulnerable?

could be exploited by a sophisticated hacker in the unlikely event such hacker has access to the owner’s local network

Define “sophisticated” and “unlikely”. Most reported exploits are trivial to implement, with most of them being quite literally copy and paste, which is hardly sophisticated. As for gaining local network access, let’s just say that it ain’t rocket science.


#6

@SBrown,

I have to agree with @dswv42 100% here. I’ve had a look over the detials on the vulnerability and then also compared this to what I can see on my EX4100 and can clearly still see the trademarks of the vulnerability being there. This is definitely something WD should address ASAP and patch. It is very, very disappointing to see that this was brought to the attention of WD over 6 months ago and not all actions have been corrected prior to disclosure. How long is needed to patch these bugs ?

In light of this and the other issues I have had with my EX4100 kernel panicing constantly, I am seriously thinking of looking for another NAS. The only thing holding me back really is that I don’t have another NAS with sufficient storage on it to hold the contents of this one temporarily, while I reclaim the disks in a new NAS.

I do hope WD does shape up but very much losing faith over the half hearted responses to genuine security and performance issues of the devices.

JediNite


#7

I was able to confirm the backdoor on my ex4100. I’ll patch it up, but I’d just like to display my disgust with WD for such a huge fumble. Egg on your faces.
Just can’t wait to hear about the future vulnerabilities that aren’t discovered yet /sarcasm


#8

Still enough known ones that they haven’t patched to go round!


#9

This is news to me. I’m already dissatisfied with this product. This is what I was afraid of with a Wi-Fi only product. As I said in another thread, if I had known this was Wi-Fi only I wouldn’t have purchased it. I don’t need a home cloud when I use others that are probably a lot more secure. I thought it was just a large external drive that could be connected to my computer with the option of Wi-Fi. False advertising on the package. I’m returning mine unless this doesn’t apply to the My Cloud Home. I’m not sure what the EX series is.

I haven’t even registered it yet because I wanted to make sure it worked first. After reading some of the complicated instructions I’m glad I didn’t register it.


#10

@wboswell,

Sounds like you are describing a different product. The EX4100 does not have any wireless capabilities in it.

Cheers,

JediNite


#11

You’re right. I was talking about the My Cloud Personal. I thought this applied to all of them. I returned it anyway because a Wi-Fi only product is an accident waiting to happen. Only a fool would invent something like this.


#12

Given the age of this post and the lack of fixes addressed in the latest firmware update, my confidence in product and WD as a responsible company is frustrating to say the least… At least I can sleep knowing that the company I work for addresses security concerns and vulnerabilities…

/me = thinking I should’ve gone with a different product vendor for my personal NAS…