Security?! why is the latest firmware so full of unpatched vulnerabilities?

The worst example is the old version of Samba, the most used service.
The version in firmware v04.05.00-342 is 2:3.6.6-6+deb7u1
The latest version available by apt-get with the installed Debian repositries is 2:4.2.14+dfsg-0+deb8u9
CVE-2017-7494 (24 May 2017) security warning states that versions 3.5.0 to 4.6.4 contain a well known priviledge escallation vulnerability. Version 4.6.5 was released June 6, 2017, yet WD firmware v04.05.00-342 was compiled 6 August 2019 without that fix.

Surely WD has heard the “Internet of Things” scare? Here we have a Debian system in volatile storage (unlike the dreadfully insecure Nest devices) which has the obvious potential for attack yet good potential for timely patching.

v04.05.00-342 contains Linux kernel v3.2.26 #1 SMP Thu Jul 9 11:14:15 PDT 2015 wd-2.4-rel armv7l while almost everyone is using kernels v4 or v5.

WD Community,
Thank you for reporting your set of concerns,

Regarding the Samba vulnerability, we reviewed CVE-2017-7494 as part of our security review process and applied a patch to Samba in firmware 04.05.00-334 released on 03/12/2019 as indicated by the firmware release notes https://support.wdc.com/download/notes/WD_My_Cloud_Firmware_Release_Notes_04.05.00-342.pdf.

The My Cloud with firmware v04.xx.xxx was last manufactured in 2016 and is currently under the Limited Update Status (Western Digital Product Lifecycle Support Policy) defined as products out of warranty and no longer manufactured in the last 3 years. Under this status, we assess security vulnerabilities on a case-by-case basis and evaluate whether potential vulnerabilities present a real-world risk to our users. We also have a vulnerability reporting process to connect security researchers directly to our product security team. (Product Security | Western Digital)

WD Staff

You can blow smoke all you want and its still smoke. I dont care if its out of warranty or not. Your saying aka, Since we made our money of you we choose to put our work towards the next thing to make money off you. @mike, I stopped using stick firmware after I left the Beta for this devie in 2014, It had problems then from a Dev standpoint. ie. 3x firmware not knowing its brother was 4x etc… Due to a NDC I signed I cannot go into it, But the just of it is this. If you run a stock image of anything, You will get owned.

I am sorry, the +deb7-u1 version of Samba 3.6.6 is indeed patched against the vulnerability, though it being a special backport means it lacks domain Kerberos capability.

Several upgrades and installations using apt-get are prevented by the dependencies of the manually installed packages wd-lib, wd-nas, etc. I am trying to find a way around this, keeping the reset-to-firmware capability.

Perhaps WD should release the sources of their own packages for out-of-warantee devices?

There is a whole website on hacking the MyCloud but their methods of completely replacing the system include a considerable risk of “bricking” the device completely.

My device should not get “owned” because I keep it in my firewalled LAN, though when it was new I had it on dynamic-ip for a while. I have the data on it in backup so I could risk bricking it but it’s so awkward extracting the drive and attaching it to my laptop by USB. BTW I am trying to get it to run ClamAV, as slowly as it likes, but can’t get past the 250MB RAM so far.

With respect to the single bay My Cloud, WD has made GPL source code (such as it is) available for anyone who wants to use it to compile their own updates or fix various issues with the existing firmware.

In the end though if one is worried about security vulnerabilities in the current firmware, they may want to look using alternate firmware where one may have more control over updates. For example:

The day will eventually come however where WD stops updating the firmware all together on these old single bay My Cloud units. The first gen v4.x firmware units are rarely updated to fix security vulnerabilities these days.

@bennor well said, I cannot say it enough. If your gonna complain about a firmware with respect to the age of the device, I agree you should look to alternate firmwares, kernals, images etc… Fox has laid the pathway for me, im sure many others. For those that dont know what Fox’s site is, I am running a mirror of his nice code, work and hours of testing into a URL, mycloud.2600.website

The sources you linked do not include the vital “wd-lib” package, pre-installed in the issued firmware with no “archive” nor source. Hence its dependencies hamper any updates.

1 Like