All of the major NAS manufacturers have now released patches to fix the remote code execution bug in SAMBA. When is WD going to patch our NAS drives? See below;
CVE-2017-7494.html:
====================================================================
== Subject: Remote code execution from a writable share.
== CVE ID#: CVE-2017-7494
== Versions: All versions of Samba from 3.5.0 onwards.
== Summary: Malicious clients can upload and cause the smbd server
== to execute a shared library from a writable share.
All versions of Samba from 3.5.0 onwards are vulnerable to a remote
code execution vulnerability, allowing a malicious client to upload a
shared library to a writable share, and then cause the server to load
and execute it.
Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at You are being redirected.... Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.
Hate to tell you this but QNAP, Asustor and Synology all have released patches to correct for this. You shouldn’t reply unless you know what you are talking about.
I own QNAP and Asustor as well as the WD ex2 so I speak from direct knowledge.
I have two QNAPs … the last update was two weeks ago and did not include a fix for this.
QNAP has only issued a qfix which for some models only disables discovery, which no one should consider a “fix.” The qfix is only available for certain models.
Synology has only released fixes for certain DSM versions.
Regardless of your opinion, the major NAS players HAVE taken steps to mitigate these security risks, while WD has done nothing. Why you would defend WD’s lack of concern for their customers data security I can only speculate, however since you seem to be unable to acknowledge the truth of my initial post I will no longer waste my time responding to you.
It’s not opinion; it’s fact based on presented evidence. I’m not defending WD; they do need to issue updates. I’m only questioning your inaccurate statement (that all major NAS vendors have patched for this) in holding WD to some standard compared to other consumer-grade NAS vendors. It didn’t pass by me unnoticed that you can’t actually defend your statement.
Besides, this issue is not a problem for anyone who is using the My Cloud product lines according to WD’s targeted marketing (home users who wouldn’t have a clue how to expose the SMB protocols to the internet and would ordinarily have antivirus and antimalware software on their clients).
In other words, if you’re not exposing writable shares to untrusted users, there is NO issue. If one practices ordinary security practices on one’s home network, this vulnerability is not a big deal.
I’ve worked in IT for a Fortune 500 company for more than two decades. It drives me batcrap-crazy when people holler Chicken Little warnings who don’t really understand the vulnerabilities and attack vectors in question. Yes, WD needs to address this issue. But it’s NOT as big a deal as you’re implying.
Sigh. No one has challenged my original statements. …only throwing out (rather meaningless) insults.
Port 445? Yeah, that’s SMB over TCP. Nothing new there… Certainly not indicative of “many attack vectors.” From this vulnerability’s point of view, it’s the same as 139.
A convenient dodge, but it’s based on flawed logic. The subect CVE has been patched by the Samba team.
Anyone who wants to know how to exploit this CVE need not look any further than the top hits on Google, which point to quite a few Docker containers or OVAs that will demonstrate the exploit on an arbitrary target. All one needs supply is a host and an executable binary compiled for the target.
If you’re saying this patch does NOT fix this “something” YOU know of, that can mean one of two things:
There’s a NEW vulnerability involving port 445, then your whole point is off topic.
The Samba patch didn’t correct the vulnerability.
So, which is it? If it’s #2, then why pressure anyone to release a patch that doesn’t work? If it’s #1, then it’s unlikely ANY vendor has patched that.
dswv42, you just have to ignore people like TonyPh12345, any response to them just adds fuel to the fire. The guy chose to ignore the links that I provided showing that the other guys HAVE in fact released patches to mitigate this vulnerability. Also the main reason for the thread is to point out that WD is letting their user base down by not providing adequate long term support for this and other related issues that have been identified and to provide some additional heat so they will take action. Cant help but wonder if one of Tony’s employers might be WD? Regardless, I accomplished my goal.
Germanys c’t magazine wrote:
The security gap is relatively easy to exploit for attacks. It is to be assumed that it is already abused in large scale for attacks […].
Embedded systems and NAS devices for which there are no patches should be better removed from the net.
It appears WD simply doesn’t care about their customers past the point of purchase. Best to use it on your local network and only as a backup to a real NAS system. That way you can power it down when you aren’t making backups from your QNAP, Synology, or Asustor NAS.
@Vertech1
You and others have a lot of gall to insult a respected and knowledgeable forum member of long-standing such as Tony. He has helped more forum members than you will ever hope to.
People who respond for no reason other than to stir up controversy are the reason large corporations can continue to ignore the serious security holes in their released product base. If the existing users of WD NAS products effected by this and other serious security holes would stay focused on the subject instead of trying to defend a manufacturer or even another contributor then perhaps WD would realize they need to address the issue and release software updates in a more timely fashion. However by attempting to “defend the honor” of a contributor who clearly missed the point and ignored the facts as they were presented, less knowledgeable users (IE the ones most likely to be exposed by this) will miss the point and risk having their data compromised.
I’m sure Tony is a very knowledgeable guy, but he was wrong, happens to everyone, even you Mike. And as I said in a previous post within this thread, I wont waste any more time responding.
