openSSL vulnerability CVE-2014-0160

Hello. As it was announced today (8-th of April) there is a bug in openSSL library, which used by current Linux distributives, including Debian Wheezy (which is used in Mycloud). Hacker could password and compromise device running openSSL. So, any Mycloud devices is in danger now. I’ve tested my NAS using online check tool, and it say I’m in danger. So, whan the patch will came out? (so far I disabled internet access to my MyCloud)

More information: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

Check tool: http://filippo.io/Heartbleed/

Best to open a ticket and let them know even if they already know. I am opening one now.

So, anything to worry about from the remote access, WD servers, or the NAS themselves?

I just pointed that test tool to my Cloud, My Book Live, etc… 

It says everything is OK?

Not on mine. How did you direct it?

i gave it my external IP address:8443

and here is the output:

Here is some data we pulled from the server memory:
(we put YELLOW SUBMARINE there, and it should not have come back)

([]uint8) {
 00000000 02 00 79 68 65 61 72 74 62 6c 65 65 64 2e 66 69 |..yheartbleed.fi|
 00000010 6c 69 70 70 6f 2e 69 6f 59 45 4c 4c 4f 57 20 53 |lippo.ioYELLOW S|
 00000020 55 42 4d 41 52 49 4e 45 e9 e4 f0 17 91 94 01 d1 |UBMARINE........|
 00000030 46 bd d8 67 d9 38 d1 fb 7a 00 91 e7 4e f9 2e 00 |F..g.8..z...N...|
 00000040 05 00 05 01 00 00 00 00 00 0a 00 08 00 06 00 17 |................|
 00000050 00 18 00 19 00 0b 00 02 01 00 00 0d 00 0a 00 08 |................|
 00000060 04 01 04 03 02 01 02 03 ff 01 00 01 00 64 0d 0a |.............d..|
 00000070 55 73 65 72 2d 41 67 65 6e 74 3a 20 1f 92 77 9d |User-Agent: ..w.|
 00000080 8c c8 2e 3b ec 30 d1 2e ee c9 33 ff |...;.0....3.|
}

Please take immediate action!

Yes, my mistake.  I was actually pointing it to my My Book Live.

@ jamalaya

I did as you and pointed the test to my external IP and port numbers (443 and 8443). I got the “Uh-oh, something went wrong:” message. I hope I am doing the test correctly. :flushed:

You get this error if you enter the wrong information or your port is not open. To check if your ports are really open

test them here

http://www.yougetsignal.com/tools/open-ports/

If they are really open and you get the message then that is interesting unless it has been fixed -) mine is still showing vulnerability.

1 Like

None of the Linux distros I’ve looked at have included the fix, yet, either. It might be a while… Might try to compile it myself.

jamalaya wrote:

You get this error if you enter the wrong information or your port is not open. To check if your ports are really open

 

test them here

 

http://www.yougetsignal.com/tools/open-ports/

 

 

If they are really open and you get the message then that is interesting unless it has been fixed -) mine is still showing vulnerability.

I have done that, used the link you gave above a month or so ago and just reran the test, and my ports are closed.

Thanks jamalaya

Blah31 wrote:


TonyPh12345 wrote:
None of the Linux distros I’ve looked at have included the fix, yet, either. It might be a while…


Don’t know how you came to that conclusion.

Experts check at http://www.debian.org/security/2014/dsa-2896 and find there:

 

Yeah, for debian distros… 

I haven’t checked ALL distros, but the four I run (as of last night) still had not updated the distros.

But when I checked this morning, Ubuntu now has 1.0.1e-3ubuntu1.2 – which is patched.

Blah31 wrote:

However, apt.get upgrade in MyCloud bricks the box due to the well known mess WD left there!!

Well, that’s pretty strange approach to upgrading a single package…

The correct way to do the upgrade:

CloudNAS:~# apt-get --only-upgrade install openssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
openssl is already the newest version.

That shows that openssl is still the latest version available – the distro for arch armv71 still does not have a patched openssl package.

The WD is looking in packages at:

CloudNAS:~# cat /etc/apt/sources.list
deb http://ftp.us.debian.org/debian/ wheezy main

… the version is still 1.0.1e-2

So clue me in… why does Debian package list not include the update?

I just manually installed the openssl_1.0.1e-2+deb7u6_armhf.deb package on my Cloud…

All good.  :)

I can also verify that the MyCloud is vulnerable using the Chrome extension that checks and accessing remotely I get this -

I have submitted a ticket on this matter and we’ll see what happens.

I referred to this thread and NFODIZ’s thread at:

http://community.wd.com/t5/WD-My-Cloud/GUIDE-Patch-the-Heartbleed-OPENSSL-vulnerability/m-p/718282#M12760

TonyPh12345 wrote:

I just manually installed the openssl_1.0.1e-2+deb7u6_armhf.deb package on my Cloud…

 

All good.  :)

 

 

TonyPh12345, I tested 6 times and for some reason I also had to install libssl1.0.0_1.0.1e-2+deb7u6_armhf.deb before the test came back All good, IP ADDRESS:9444 seems fixed or unaffected!

This was done 6 times just installing openssl_1.0.1e-2+deb7u6_armhf.deb and testing and then going back to factory firmware

 

Yeah, I did that package, too. :slight_smile:

Thanks Tony, it was driving me crazy LOL :smileyvery-happy:

When I posted this morning, I had 10 successive “It’s Good” results.

When I looked again after lunch, it was like the check webpage was manic…  One in six tests would say “Vulnerable.”  So I dug into it and saw the other dependency.  

jamalaya wrote:

Best to open a ticket and let them know even if they already know. I am opening one now.

How do I open a ticket?

http://support.wdc.com/product/download.asp?wdc_lang=en

bottom at the page/ Contact support. You need your username and login.