Product Security Contact

prodsecurity · January 27, 2015, 6:40pm

Hi,

I’m looking for a security contact for My Cloud in order to share information about new vulnerabilities found in the product and help get them fixed.

Can someone please give me an email or otherwise in contact with the appropriate parties at Western Digitial in order to get these issues fixed and end users protected?

Thanks!

Trancer · January 27, 2015, 9:34pm

Welcome to the Community.

To Contact WD’s Technical Support about this:

http://support.wdc.com/contact/index.asp?lang=en

Support by Country
http://support.wdc.com/country/index.asp

Regards,

d_fens · January 28, 2015, 8:12am

should I take it offline? :smileyvery-happy:

d_fens · February 21, 2015, 11:17am

what did they say?

securitybugs · April 7, 2015, 1:56am

Nothing, no response.

SectorGZ · April 7, 2015, 10:04am

As you can see from this thread , Wd is fully aware of security issues and does not inform any of us users. prodsecurity posted this particual thread on 01-27-2015, that was 2.5 months ago.

No word from WD … No updates … many users have their “Cloud Access” off or risk being hacked if they do. If you modify your My Cloud OS, WD can void your warranty … Hey!, it’s a Win - Win for them. This is TOTALLY Frustrating for the users!

jamalaya · April 7, 2015, 3:22pm

Hey guys,

Yes it surprising that WD did not issue a workaround which is quite simple.

Do the following (if you are not afraid of using ssh and logging into your wdmycloud), full instructions and testing.

Do not use Widows explorer because it support falling back to SSLv3. Do this with internet explorer, go here Poodle web browser test. It will say vulnerable.
use Latest firefox and go to the same site as above. It will say not vulnerable as support for SSL dropped from FireFox.
Now the workaround for wdmycloud:

3.1 log in with ssh (putty or whatever)

3.2 navigate to /etc/apache2/mods_enabled (cd /etc/apache2/mods_enabled)

3.3 open ssl.conf with an editor (I use vi)

3.3 find SSLProtocol line and change to SSLProtocol -TLSv1 -TLSv1.1 -TLSv1.2

3.4 save the file (in vi use :wq)

3.5 now we need to disable loading the ssl module, so in the same directory open ssl.load and comment out the single

line there, by putting a hash infront of the line.

3.6 now you can reboot the device or do on the commandline

apache2ctl -k restart

Or

service apache2 restart.

I did a Reboot of the device to make sure, changes are still there.

3.7 open port forwarding on your router and remote control in your dashboard.

3.8 redo the tests as above for your poodle and rescan the ports for poodle Poodle scan

try wd2go in Firefox or IE and you should have normal service and no vulnerability. I have been using this for few months with no issues.

Hope this helps.

SectorGZ · April 7, 2015, 4:21pm

Thank You … I will look into this when I get home … but in reality WD should have fixed this.

securitybugs · April 7, 2015, 5:32pm

FYI – The POODLE vulnerability that jamalya described has nothing to do with the new security bugs reported to WD, they are completely separate issues. The vulnerabilities we’ve reported still remain unfixed as of today.

cpt_paranoia · April 7, 2015, 6:53pm

That looks fairly straightforward. If it’s that easy, why haven’t WD rolled it out…?

Can you explain what it does, and how it eliminates the Poodle vulnerability?

jamalaya · April 7, 2015, 7:09pm

Obviosuly I did some research to understand how it works and how might a hacker attack, I read this first

openssl and us-cert.gov

and some Redhat

and some here

there are many more.

I did some test here as well besides the poodle test site, but since no SSL is installed there is no vulnerability.

I also read some reports, cant remember top of my head now, that only 200 companies out of top 1million uses SSLv3 (WD one of them nd Microsoft ).

WD can fix many vulernabilties quite easy. but only they know why they don’t

cpt_paranoia · April 7, 2015, 7:11pm

FYI – The POODLE vulnerability that jamalya described has nothing to do with the new security bugs reported to WD, they are completely separate issues

Yes, understood. As I said, I look forward to the disclosure, because that’s what I expect the outcome will be…

Bill_S · April 7, 2015, 8:52pm

Everyone,

We thank you for submitting your issues to both the community and WD Support. We have submitted the items reported to the appropriate teams within our organization.

Regards,

WD Customer Support and Services

lotust251 · April 8, 2015, 10:13am

thanks for the post OP.

securitybugs · April 12, 2015, 4:50pm

Still no respond from WD for the reported bugs (originally reported months ago)

Bill_S · April 27, 2015, 11:27pm

A security vulnerability (POODLE Attack, CVE-2014-3566) in the popular OpenSSL encryption software, which is widely used to secure Web-based communications and services, affects My Cloud and other WD personal cloud products through their function as a web server.

For all WD personal cloud products – My Cloud, My Cloud Mirror, My Cloud EX2, My Cloud EX4, My Cloud EX 2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Book Live and My Book Live Duo – a solution is being developed and is planned for availability within 90 days.

Topic		Replies	Views
Latest firmware still vulnerable My Cloud	330	44472	March 11, 2018
Re: Potential Security Vulnerabilities with My Cloud Personal Cloud Systems My Cloud	2	1783	September 22, 2015
Contact for security issues My Cloud	2	679	November 16, 2016
Security Alert (The Certificate Issuer is untrusted) - WD My Cloud Mirror My Cloud 3rd Party & Mobile Apps	3	3232	August 12, 2020
Security Issue! My Cloud	3	628	October 6, 2017

Product Security Contact

Related topics