Samba vulnerability discovered. Actually not WD's fault


#24

I bought a DS116 and 4TB WD red last week. Price is nearly twice than My Cloud 4TB but performance is much better and I get security-updates just on time.


#26

The following is just my surmising of WD over the half dozen years that I’ve dealt with WD products. My experience is quite deep as a user and I have a lot of passion with the product since I love the size and shape; of which the next incarnation of shape is a big black diamond texture like brick of which I WILL NOT BE BUYING.

When I first encountered WD and their PSIRT (Product Security Incident Response Team) about three or four years ago, I was in awe in the immediate response. I had posted a problem on the forum and within hours I got a response post to call me; I thought at that time that I would get answers.

I was wrong.

What I did get was a scripted response in fixing a broken cloud much like a support center for a PC at which rebooting is the answer. The final straw was doing the 40 second reset with a phone in one hand, the cloud in the other hand and the outlet plug and pin in your last two hands. The PSIRT took a copy of my logs and nothing ever came of it. It was all part of the script.

Pacification.

They offered to RMA my cloud of which I declined. At that time I had also thought that if I did RMA my cloud, I would be getting a new cloud; it was later on that I found out that people were getting refurbished clouds in exchange for their new clouds; which is an interesting business of recycling clouds that are coming in for clouds that going out. They weren’t really refurbished clouds, just someone else’s New cloud. It was good business of simply recycling without nobody being the wiser.

Pacification

Tech support is always scripted because there are very few people that knows why a cloud would actually suddenly fall off a router (no not physically fall off) but lose its IP and suddenly disappears. The only people that knows are the users and other users that have shared their knowledge over the years.

These are the people that cares; the users.

Take a look at the brand new forum. They have carefully moved all of our threads, years of knowledge over to the new forums. One of mine is still stickied at the top.

In addition, I’ve also noticed that they “TRY” to listen by implementing some of our ideas like the scattering of all the scans across multiple directories and centralizing them in a hidden Share folder.

WD doesn’t have the people with the knowledge, not because of the lack of training, but the inability to find the people who cares enough to work in that sector of business. After all it is a hard drive business and who really cares about hard drives; they are not a NAS company.

In fact when everyone started to get into real clouds which are offsite storage on google or Microsoft servers, WD had to find a way to rename their local storage product into a Cloud.

They took their WD Live which was a simple NAS device and started looking in ways to make a Clouds local which is really an oxymoron.

Unlike QNAP or other NAS companies that probably has Unix gurus by the hundreds, I think WD struggle with only a handful. I say this because of the time frame of changes and the method of changes. One of the reasons they took away the sleep logs in the new gen 2 clouds is they try to take away logging to keep linux from writing on to the drive plus the fact they also didn’t want us to know how badly the clouds were not sleeping. I also think the reason they moved to BusyBox was the fact that it is smaller and also it runs all in ram memory, staying away from reading and writing on the drive.

These are mass production changes rather than changes for the community like QNAP. Thus security is a secondary concern; It is, after-all, a local cloud. The difference in thinking is that this is a home product and if you are concerned, throw up a firewall.

There is a reason why the moderators say what they say, it is to let others with more knowledge answer the question, otherwise someone that does know and in this industry there always someone that thinks they know it all, might step in and correct them which isn’t good for the company image. If a user says the wrong thing, it is ok because a user has no repercussions.

Thus we come full circle of why WD is the way it is. I think they have made a decision of how they do business, largely because they are a large conglomerate of businesses and this model seems to be working for them. Letting knowledgeable customers support themselves.

After-all there got to be a know-it-all that would work for free for them. I never did get any cloud drives in lieu of my tech support over the years.


#27

Users quickly find out that this is the reality of the situation, because they simply do not get support from WD Staff, in the vast majority of cases.

Users who rant at other users, assuming they are uncooperative WD Staff who can’t magically fix their problem (because they haven’t described their problem in sufficient detail) are pretty quickly disabused of their misconception.

They don’t see it because they simply are not looking at the forums. They really aren’t.


#28

You are correct they took away the sleep log. Moving to busybox did eliminate I/O to the root disk.
But The gen2 does seem to write to the /usr/local/config partition a lot. To figure this out I create a script to tell me when disk I/O has occurred and to what partition. The gen2 frequently does I/O to /dev/sda7 and /dev/sda4. Can’t find what is being written to /dev/sda4. But for some reason WD decided to put the user.log on /usr/local/config along with a copy on /var/log. Becasue blktrace does not work on the gen2 its not possible to know exactly what is being written to /dev/sda7. I did decide to do the remount of the /usr/local/config with noatime and nodiratime. This did help with the sleep time.


#29

@rac8006 you are full of contradictions :stuck_out_tongue:

like… if they took away the logs how did you know that it help with sleep time? :stuck_out_tongue:

I think the activity with the drive is part of the scans. I did let the drive scan all my files and after a couple of days of activity, it is left with a continuous clicking every couple of seconds, which indicates to me the monitoring of disk size; a job that monitorio.sh use to do. click… click … click… like the ticking of a clock… totally different from scans which are more like a rumbling or gurgling of the drive. All of this is part of the init.

I had expected a solution from you by now and I’m disappointed :stuck_out_tongue:


#30

Yes they took away the sleep log. But before I made my changes and created the script. My Gen2 didn’t ever appear to sleep. My script shows me with in 4 seconds of when it woke up. Now it is sleeping up to 8 hours at a time. No it is not scanning the disk. I currently have no files on the disk that would require scanning. Maybe you expect too much. The gen2 is very difficult to work with since most utilities that I could use on the gen1 don’t work on the gen2.


#31

so you are telling me that it is working perfectly without any files on the disk? I think this is the way that WD does their testing of their drives before their firmware release :stuck_out_tongue:

well true… my apologies to expect too much from you @rac8006 :stuck_out_tongue: So I guess I shouldn’t wait for a solution from you then.

well… at the moment, my gen2 drives on the old firmware are getting days of sleep :stuck_out_tongue: and how do I know? by the fact that I usually sit with my cloud drives in the same room and can hear whether or not the drives wakes up. Also every time I walk pass my bookshelves, I check that the blue LED light is still slowly blinking. no crons, no scans.

so until someone tells me that this firmware is ok, I’ll refrain from getting involved with days of troubleshooting. The good news is that WD has fixed the firmware to allow us to downgrade without having to go through version number editing; as told by another user.


#32

I didn’t say that it was working perfectly. I’m still looking into what the system is doing to effect sleep. Not sure
when I will be able to tell why the gen1 or gen2 don’t sleep. But if you gen2 is sleeping for days why would you need a fix?


#33

Would like to update my firmware to 2.30.165.

It would be nice if I didn’t have to do any work on this version if somebody did it for me :stuck_out_tongue:


#34

What would really be nice is if WD could actually fix something.


#35

Well actually gen2 isn’t that bad. Even if I did nothing, it was usable, albeit slower but usable.

Anyways, @Bill_S, the WD forum messages are really annoying; this is alienating your support user group.

and I got the other message the last time…

Alright… my answer to that… is that I will considered “NOT REPLYING ANYMORE”… done… gone…


#36

@Ralphael,

Sorry Raphael. Those are system messages, and designed as part of Discourse’s implementation. I didn’t send them to you. And as far as I’m concerned, you’re fine. I will look into mellowing these out. Can’t make any promises though.


#37

I know @Bill_S but you are the go-to guy on this forum :stuck_out_tongue:

but system messages like these are kind of patronizing to your forum users. I realize that I can simply ignore them like everything else from WD, but it is much like your cloud scans, they simply won’t shut up. As I would say, give us an option to turn those scans off… err… I meant these system messages off.


#40

Let’s say: using WD NAS is only recommended for people who has a hobby on fixing problems.
If e.g. @rac8006 takes a delivering newspaper job instead of take the time fixing the standby problem he could earn enough money to buy a proper NAS and a new Tesla Model S. But this is a hobby – I can well understand :grinning:


#41

Just a thought. How many people put their NAS on the DMZ and/or port forward the ports used for SMB protocol file transfers?

Ok. So I may have a WD NAS that’s got this Samba vulnerability, bus Samba on the NAS is never exposed to the Internet. I my case the LAN is a good sandbox and as a result, I’m not worried.

If you want the Samba service exposed to the Internet, buy a NAS where security updates are release every time one is found.

Ever considered that something could be updated to close s security hold only for such an update to break something else? Seen it and been there myself (as a programmer.)

More quality and less haste?


#42

Yes, of course. They have done that with the Samba update, since they haven’t updated the configuration to suit the latest version.

That’s why you do proper regression testing. Not just a quick ‘does it still boot’ test.

I’m not a software engineer; I write VHDL, but exactly the same principle applies.


#43

I contacted WD support for a patch to SmabaCry for my NAS (MY Cloud EX2).
Here’s the response:
"According to your information you would like to know when will there be a security patch for the new Samba Cry vulnerability.

We would like to inform you that we do not support Linux operating system .

If you have any further questions, please reply to this email and we will be happy to assist you further."

That does not look as if WD even knows that they should act.
Did someone else try to xcontact WD’s support about this?


#44

Are you sure?
GuardiCore writes:
Many corporate network storage systems (NAS), home routers and other IOT devices run Samba for file sharing. Some are accessible only from within the network, while others are also exposed to the internet. At the moment there are over 110,000 internet accessible devices that appear to be running vulnerable versions of Samba.
Every device running Samba with writable file shares and weak passwords is at risk. These devices can then be exploited by attackers to hold entire file servers for ransom, exfiltrate data or move laterally inside a network.

And the hackernews:
Home networks with network-attached storage (NAS) devices could also be vulnerable to this flaw.
The flaw actually resided in the way Samba handled shared libraries. A remote attacker could use this Samba arbitrary module loading vulnerability (POC code) to upload a shared library to a writable share and then cause the server to load and execute malicious code.
The vulnerability is hell easy to exploit. Just one line of code is required to execute malicious code on the affected system.

Good to know :flushed:


#45

Yes, we have all discovered that they don’t support the Linux operating system they are using to implement their product

At best, that’s another example of utterly ignorant ‘support’.

At worst, it confirms that WD don’t think they have any responsibility for the failings of the open source software they use to implement their product.


#46

this answer makes me wanna cry. I call this state “WDCry” ™ :joy: