PR4100 hacked in the open. New version coming out?

Just read some news about Pwn20wn Tokyo 2020 and that on day one, PR4100 was hacked leveregin existing known flaws.

When ca we see the patch?

Thanks,

1 Like

their win was only partial since they leveraged a previously known flaw.

:open_mouth:

Worth a comment from WD. . . . .not clear what OS the NAS was using. . . . since it was stated to have been hacked with a “known” flaw.

This is critical. . . as there are only two selling points for OS5

  • The web app (and indexing is a part of the web app experience)
  • security

Thank you for your post. We love being a part of competitions like Pwn2Own because they help us make our products more secure for our customers. The Pwn2Own competition is designed to demonstrate amazing research from top security researchers around the globe and we would like to thank ZDI for selecting the Western Digital My Cloud Pro Series PR4100 for this competition. The competition tested our PR4100 using our latest OS5 firmware version.

In regards to the results, we’d like to clarify the article’s use of “previously known” because it has a specific context which can be verified by reading the Pwn2Own results or watching the recorded livestream. Under Pwn2Own rules, the first researcher to exploit a vulnerability receives the points. If another researcher exploits the same vulnerability later in the competition, no points are awarded because the vulnerability was previously reported or submitted which means it was “previously known”. As a result, all the vulnerabilities referenced in the article were discovered in the competition. We have received the vulnerability details and are already working on the fixes for an upcoming release.

4 Likes

The new version (5.06.115) fixes some security issues, but as far as I understand still not the latest ones found.


Right?