Hi everyone,
we are using a few of these EX-4 for cheap instrument data storage. There is a security vulnerability in the UPNP used by these. I can enable ssh, log in and run “upnpnas.sh stop” to turn it off but would like to make sure that UPNP does not start when the device is booted. The web management doesnt seem to mention UPNP. So anyone have any idea? We are running the current release of MyCloud as of May 2016.
Portable SDK for UPnP Devices (libupnp) < 1.6.18 Multiple Stack-based Buffer Overflows
If your WD EX4 dashboard is anything like most of the WD NAS dashboards, I would think you could go into Settings/Media and under DLNA Media Server, turn OFF Media Streaming control. This is the control for the DLNA/UPNP server. Give it a try.
On the EX-4 turning the media streaming starts a service at 9xxx per nmap.
It does not affect the upnp port at 49xxx one way or the other. I can run
upnpnas.sh and that will control the actual upnp
service. Ideally I would like to either configure in the xml settings files
not to start upnp or add an rc file that stops this service on boot.
OK, you are beyond my knowledge on much of this, so if another person cannot help, suggest you contact WD Support directly.
Ahoy there.
Did you ever get an answer on this? Our new security consultants want me to patch the UPnP version on an EX-4 I’m running, and I don’t see a way to do it.
Cheers.
No. Isolated on VLAN. No more my clouds here.
