Security Holes and Features, what will come next? -> Another 0-Day Looms for Many Western Digital Users

Hello,
this are the latest news regarding WD NAS Devices:

The “Solution” is a “Upgrade” to OS 5.

After 30 years inside of the IT Business → The purpose of a Upgrade was always equal or better.

OS 5 is still a Feature downgrade / Function downgrade and a (maybe?) Security Upgrade.

My question is:
Exist a upcoming Feature/Function List for OS 5?

If not → it looks like that WD will exit the NAS Device Business as Netgear does and Seagate did.

Are there any signs that we will see news in this WD Branche?
I could not find anything in the last years

Actual it looks like a dying/dead horse for me.

Your thoughts about it?

Best case i’m wrong and you can correct me :slight_smile :slight_smile:

Cheers

Is that a question? WD already has a knowledgebase article listing the differences between OS3 and OS5.

My Cloud OS 5: Feature Differences Between My Cloud OS 3 and My Cloud OS 5
https://support-en.wd.com/app/answers/detail/a_id/29389

OS5 is what it is. This is mostly a user-to-user support forum. WD Support rarely if ever provides any information or details on any “fixes” or feature enhancements to the My Cloud firmware.

The speculation by a few in these subforums has been that OS5 is a setup for WD’s EdgeRover (https://support-en.wd.com/app/products/product-detail/p/2293). One can dig through the OS5 subforum posts for all the issues users are having with OS5, from loss of features they had in OS3 to the indexing “feature” that cripples and or renders their devices (particularly the second generation single bay My Cloud) unusable and inaccessible for hours or days.

The unfortunate reality is that like pretty much all other NAS devices there are security vulnerability’s that are discovered for the My Cloud. Sometimes they are patched. Other times not. The WD My Cloud OS3 firmware has its share of security vulnerabilities over the years, some of which were eventually patched by WD. The workaround, while not ideal, has always been to disable remote access/cloud access, FTP access and any other methods of remote access to the My Cloud. This can include setting up rules in the local network router/firewall to block all remote network traffic to the device.

A number of My Cloud devices are End of Updates and are stuck on OS3. In some cases one can attempt (unofficially) to load alternate, non WD, firmware or operating systems to their devices with varying degree’s of success. The reality is that end of life and or end of firmware support on a device that leaves it open to security vulnerabilities is a fact of life. Its a common occurrence in the electronic/software world.

WD Product Software Support Status
https://support-en.wd.com/app/answers/detail/a_id/28740

Edit to add: And for those OS3 users they can possibly automate the running of the third party “patch” that is mentioned in the Krebs article by saving the “patch” as a script and having it run at each My Cloud boot via /etc/rc2.d/S98user-start (if that user-start exists within one’s My Cloud firmware/root structure).

1 Like

Yep, which is why the rest of that sentence that you quoted stated; “… some of which were eventually patched by WD.” Some vulnerabilities were patched some not. As we all know, it has been a long running issue on the OS3 firmware that some security vulnerabilities remain unpatched or that it took WD a very long time to issue a patch through a firmware update.

OS3 is essentially dead at this point and any existing vulnerabilities will likely (for now) remaining unpatched by WD. WD had stated previously in this WD product security link about OS5:
https://www.westerndigital.com/support/productsecurity/wdc-21004-recommended-upgrade-to-mycloud-os-5

We will not provide any further security updates to the My Cloud OS3 firmware. We strongly encourage moving to the My Cloud OS5 firmware. If your device is not eligible for upgrade to My Cloud OS 5, we recommend that you upgrade to one of our other My Cloud offerings that support My Cloud OS 5. More information can be found here: https://shop.westerndigital.com/support/software/my-cloud-os

There was some discussion last week about the My Book Live security vulnerability in the OS3 My Cloud subforum. At that time, a WizCase article (WizCase Report: Vulnerabilities found on WD My Book, NetGear Stora, SeaGate Home, Medion LifeCloud NAS) hinted that My Cloud devices were possibly impacted but gave no firm details on My Cloud specifics.

1 Like

For me it is or to write it in another way. Is OS 5 a dead end or a beginning? Actual (i think i’m right) it’s a dead end, but i still had hope until now.

I know the list but i could not paste it because of thread beginner limitation of max 2 Links.

And yes it’s a User to User Forum but also a chance for WD as food for thoughts

Unfortunatly
All available informations combined →
This is the only realistic conclusion

Pretty much any/every NAS device has security vulnerabilities. The core issue has always been; how quickly are they patched… if they are even patched. Long time WD My Cloud users (who frequent these subforums) knows that these devices have their long running firmware issues. More than a few of which haven’t been fixed or patched. Most have understood, at least with the single bay My Cloud line, that the devices were very basic entry level NAS boxes, that better offerings were out there for significantly more money.

Personally I’ve relegated the single bay My Cloud to secondary little used NAS and now use another brand as my main NAS.

The My Cloud units are mostly functional for basic NAS only use but with the security vulnerabilities its best to keep the OS3 versions isolated from the internet (turn off Cloud Access, FTP, etc. in the Dashboard) on one’s local LAN and use router firewall rules to block broadband access to the OS3 My Cloud…

Bet more than a few others have that same view. As is evident some have had to find ways to roll back to OS3 in order to regain usage (or lost features) of their My Cloud devices.

1 Like

I pretty much concur with this reasoning.

Personally, I am a bit concerned that the OS/5 has raised more security and personal privacy concerns than it resolved. Plus the horrid implementation of the key “indexing” function. . .results in a “no-go” from me.

Within my network; I find the old 1st gen single bay mycloud a bit too slow. . . .and I find that the EX2 ultra devices seem to do ok. If they are blocked (at the router) from the internet. . .I think I could still recommend OS/3.

Personally, I have turned of cloud access to OS/3; and I am “on the verge” of full internet blocking. I only retain access with a direct VPN to the router. . . .I am by no means an expert in this area, but what I find is that if I “block wan acccess” to the EX2’s. . . . VPN access is also blocked.

Personally, I like the “NAS in a box” solution. I have a competitor NAS on my shopping list, I am beginning to browse their forums to see if there are any hidden gotchas. I hear you on the “roll your own” server option. I do have an ancient 1st Gen I5 that I can dedicate to the task. . .but I just don’t feel like dedictating a full on desk top machine to the file server function.

AS do I

and as a Mybook LIVE uses WD just send an email offering of 40% ? off offer on a EX2 ultra unit.
I would take they up on it IF it came with OS3 firmware.

I don’t know what “40% off” means.

If that “40% off” includes the drives. . . .I might find it tempting; especially for larger drives (>4TB)

For 4TB or less. . . I might question “Why NAS?” (the answer, of course, being “Why NOT nas?”)

If drives are NOT included in the discount. . . bear in mind that most of the cost is in the drives themselves. . . . so the question becomes if you are going to invest $400-800 in disks; why would you put them in a crappy $150 enclosure, when a “better” enclosure is $250?

** Note that my personal answer on this has shifted in the last 12 months. The more I see. . . the less I like. (Funny. . .I could say the same about people)

(I know. . .how lame. . . .quoting myself. . . . .but)

I just saw this article.

Major Vulnerability Affects All Western Digital NAS Devices Running OS 3 | PetaPixel

I think it is time to block OS3 from the internet at the router level. . . .bye-bye VPN access.
Probably going to retain the OS/3 boxs for a time. . . and put it behind a seperate router that has no WAN connection.

The comments in the krebsonsecurity
link - another-0-day-looms-for-many-western-digital-users -
are interesting.

“I think it is time to block OS3 from the internet” YES and Yes

While is it fun to throw one together with a Raspberry pi
( 8 GB -argon 40 case / fan with M.2 sata SSD ) – which replaces the Arduino

An easer to set up consumer box is needed.

While blocking broadband access to the OS3 My Cloud is a start. Ultimately blocking broadband access or VPN access to the device isn’t solving the underlying issue. The security vulnerability, if left unpatched, will still be there for anyone to exploit who gains or has access to one’s local network. There are a number of methods to limit access to the unit but as long as its unpatched and powered on and connected to a LAN, that vulnerability will be there to be exploited.

At the very least one should remove any mission critical or irreplaceable data on that My Cloud unit and store it somewhere else (with backups). One should also consider taking the OS3 My Cloud off any network where one cannot strictly control who has access to that local network. Particularly business users with large and or insecure networks should seriously consider removing any OS3 unit from their local network if they haven’t done so already.

Wonder how many will simply remove the My Cloud from their local network (and toss it/shuck the hard drive), or just connect it directly to their computer’s Ethernet port and use it like a external hard drive? And how many will simply ignore this issue, assuming they even know about it, and think it won’t affect them?