Samba vulnerability discovered. Actually not WD's fault


#47

LOL … ain’t that the truth :wink:


#48

BTW, I’d strongly suggest you reply to this ‘support’ person, and point out that:

  1. Their product is built using either a full version of Linux (Debian Wheezy) for v4 firmware, or cut-down version of Linux (BusyBox) for v2 firmware
  2. Their product uses the Samba open source library to provide an SMB network file server
  3. This is provided within their firmware image, created and supplied by WD, not some user-installed add-on
  4. It’s their responsibility to fix it
  5. If the ‘support’ doesn’t understand these points, they should pass the request on to someone who actually has a Clue about how their product is implemented, not just a drone reading from a prepared script.

#51

I got an update from WD:

Btw, answered by the same person (at least the same first name) who answered me the first time…


#52

uh huh… evaluating response… please note that this is all tongue and cheek… and not what really goes on behind the scenes… (it is much worse :stuck_out_tongue:)

… we are replying to your reply that you reply to ours and did you thank you for our reply to yours? equal to salutations or just "hello from the other side… not really, more of a “yeah… mumble mumble…” (standard tech support reply from years of answering questions about the missing cup holder on new laptops).

no funny business here… we are serious… seriously, really. but we will evaluate how badly this might affect our product if the word ever gets out. So far so good… we don’t support linux :stuck_out_tongue: meaning outside our own linux box :stuck_out_tongue:

yeah, nothing to see here… Vulnerability support team of 1 who is on vacation at the moment. so far nobody has been affected… well maybe just that one or two or maybe a dozen, but we swapped them all out with another cloud and they are good now… nobody the wiser and nobody has really been affected… at least nothing provable. Really… seriously… really!!

If and only if management (Bob) approves. We won’t let you know unless we got a new update and only on the day… and if it is just before a weekend we will pull any updates, just in case of an influx of trouble users and we won’t tell you either on why we pulled the update. Of course we will tell our moderators first but unfortunately we don’t talk to them, so we won’t.

cough Please don’t reply. it just goes to the spam folder… :stuck_out_tongue:

Please quote me so this gets replicated before it gets deleted and removed in 24 hours. :stuck_out_tongue:


#53

Setting up my DS116 right now, The NAS itself is amazing, but the Toshiba N300 is LOUD LOUD LOUD. I would not recommend this drive for use in the same room.


#54

OT: Compared to WD red the N300 4TB has double power consumption, is 5-6dB(a) louder (factor 1.5!) and only 5 € cheaper (Germany).


#55

okay, where’s the Update for the MyClouds?! come on WD!


#56

While there’s life, there’s hope…


#57

WD strategy works well. Seems that nobody cares about this problem anymore…

Germanys famous computer magazine c’t writes these days (translation below):
“Sie [die Sicherheitslücke] ist nach Expertenmeinung relativ einfach für Angriffe ausnutzbar. Es ist zu vermuten, dass sie bereits im großen Stil für Angriffe missbraucht wird […]. Embedded-Systeme und NAS-Geräte, für die es keine Patches gibt, sollte man besser aus dem Netz entfernen.”

Google translation:
“The security gap is relatively easy to exploit for attacks. It is to be assumed that it is already abused in large scale for attacks […]. Embedded systems and NAS devices for which there are no patches should be better removed from the net.”

So far…


#58

SambaCry used in the wild: https://securelist.com/sambacry-is-coming/78674/

“…On May 30th our honeypots captured the first attack to make use of this particular vulnerability, but the payload in this exploit had nothing in common with the Trojan-Crypt that was EternalBlue and WannaCry. Surprisingly, it was a cryptocurrency mining utility!..”


SAMBA Security Bug
#59

5.500 USD? I should change to the dark side of the Force…


#60

where is an update?!


#61

#62

Quite a long time by the sounds of it. I don’t really want to read negative here, really don’t, but I am quite perplexed why the delay.


#63

Any updates on these issues?


#64

“we take the security of our customers data very bla bla bla…” still no update…

but a new my cloud device, my cloud home. WD releases more products than software updates :smiley:


#65

Looks like that’s compliant with WD’s ‘look and feel’. i.e. not working very well…

Also seems odd that they haven’t pushed out a new product notice on this forum. They have set up a forum for it, though. I wonder how different it is to our devices.

https://community.wd.com/c/home-cloud-storage

You can get the quick start leaflet, but the user manual isn’t so successful…

https://www.wdc.com/content/dam/wdc/website/downloadable_assets/eng/user_manual/4779-705163.pdf

ERROR
The request could not be satisfied.

Bad request.

Generated by cloudfront (CloudFront)
Request ID: [redacted]

#66

oh no! haven’t you learned anything?! :slight_smile: get a refund and buy a synology!


#67

I haven’t bought one. I didn’t even know they existed…


#68

no update since April. That’s ridiculous for a linux server