Product Security Contact

 Hi,

I’m looking for a security contact for My Cloud in order to share information about new vulnerabilities found in the product and help get them fixed.

Can someone please give me an email or otherwise in contact with the appropriate parties at Western Digitial in order to get these issues fixed and end users protected?

Thanks!

1 Like

Welcome to the Community.

To Contact WD’s Technical Support about this:

http://support.wdc.com/contact/index.asp?lang=en

Support by Country
http://support.wdc.com/country/index.asp

Regards,

should I take it offline? :smileyvery-happy:

what did they say?

Nothing, no response.

As you can see from this thread , Wd is fully aware of security issues and does not inform any of us users. prodsecurity posted this particual thread on 01-27-2015, that was 2.5 months ago.

No word from WD … No updates … many users have their “Cloud Access” off or risk being hacked if they do. If you modify your My Cloud OS, WD can void your warranty … Hey!, it’s a Win - Win for them. This is TOTALLY Frustrating for the users!

1 Like

Hey guys,

Yes it surprising that WD did not issue a workaround which is quite simple.

Do the following (if you are not afraid of using ssh and logging into your wdmycloud), full instructions and testing.

  1. Do not use Widows explorer because it support falling back to SSLv3. Do this with internet explorer, go here Poodle web browser test. It will say vulnerable.

  2. use Latest firefox and go to the same site as above. It will say not vulnerable as support for SSL dropped from FireFox.

  3. Now the workaround for wdmycloud:

     3.1 log in with ssh (putty or whatever)

     3.2 navigate to /etc/apache2/mods_enabled (cd /etc/apache2/mods_enabled)

     3.3 open ssl.conf with an editor (I use vi)

     3.3 find SSLProtocol line and change to SSLProtocol -TLSv1 -TLSv1.1 -TLSv1.2

     3.4 save the file (in vi use :wq)

     3.5 now we need to disable loading the ssl module, so in the same directory open ssl.load and comment out the single

           line there, by putting a hash infront of the line.

     3.6 now you can reboot the device or do on the commandline

          apache2ctl -k restart

         Or

         service apache2 restart.

         I did a Reboot of the device to make sure, changes are still there.

     3.7 open port forwarding on your router and remote control  in your dashboard.

     3.8 redo the tests as above for your poodle and rescan the ports for poodle  Poodle scan

try wd2go in Firefox or IE and you should have normal service and no vulnerability. I have been using this for few months with no issues.

Hope this helps. 

1 Like

Thank You … I will look into this when I get home :wink: … but in reality WD should have fixed this.

FYI – The POODLE vulnerability that jamalya described has nothing to do with the new security bugs reported to WD, they are completely separate issues. The vulnerabilities we’ve reported still remain unfixed as of today.

That looks fairly straightforward.  If it’s that easy, why haven’t WD rolled it out…?

Can you explain what it does, and how it eliminates the Poodle vulnerability?

Obviosuly I did some research to understand how it works and how might a hacker attack, I read this first

openssl and us-cert.gov

and some Redhat

and some here

there are many more.

I did some test  here as well besides the poodle test site, but since no SSL is installed there is no vulnerability.

I also read some reports, cant remember top of my head now, that only 200 companies out of top 1million uses SSLv3 (WD one of them nd Microsoft :slight_smile: ).

WD can fix many vulernabilties quite easy. but only they know why they don’t :slight_smile:

 FYI – The POODLE vulnerability that jamalya described has nothing to do with the new security bugs reported to WD, they are completely separate issues

Yes, understood. As I said, I look forward to the disclosure, because that’s what I expect the outcome will be…

Everyone,

We thank you for submitting your issues to both the community and WD Support. We have submitted the items reported to the appropriate teams within our organization.

Regards,

WD Customer Support and Services

1 Like

thanks for the post OP.    

Still no respond from WD for the reported bugs (originally reported months ago)

A security vulnerability (POODLE Attack, CVE-2014-3566) in the popular OpenSSL encryption software, which is widely used to secure Web-based communications and services, affects My Cloud and other WD personal cloud products through their function as a web server.

For all WD personal cloud products – My Cloud, My Cloud Mirror, My Cloud EX2, My Cloud EX4, My Cloud EX 2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Book Live and My Book Live Duo – a solution is being developed and is planned for availability within 90 days.