Taking Precautions Against New Vulnerablity OS3

On my WD MyCloudMirror Gen 1, which cannot be updated to OS5 and sits on my LAN, I have taken the following precautions:

  • passwords on all users - even those with low-privilege user accounts
  • disabling ftp server - (I understand that the FTP server would allow people to upload and then run files using the default FTP passwords or anonymous remote access with write access enabled).
  • disabling cloud access
  • all backed up
    But from the management app I can still use the Web File Viewer app to see the files. Does the WFV actually communicate via the web, or is it just a fancy name from browsing the NAS over the LAN?

You may want to post (or see) the dedicated OS3 My Cloud Mirror subforum where users more familiar with that device may have additional answers or suggestions.

OS3 My Cloud Mirror
https://community.wd.com/c/personal-cloud-storage/wd-my-cloud-mirror/110

One can try to run the OS3 “patch” suggested in the following thread.

Unofficial Patch for OS3 Zero Day RCE Vulnerability
https://community.wd.com/t/unofficial-patch-for-os3-zero-day-rce-vulnerability/268631

One should also see if their local network router/firewall can block inbound/outbound broadband traffic to the My Cloud in addition to the various steps you’ve already taken. There are many other steps one can and should take to harden their local network to prevent general intrusion.

1 Like

Thanks Bennor, have also posted to the forum you recommended. But I think it is an OS3 problem rather than a hardware problem.

Oh it is definitely a firmware problem, but there really isn’t a subform for just the firmware itself. Rather WD set this up such that each subform generally covers specific devices. Typically and generally this subform (My Cloud) tends to discuss the single bay/single drive My Cloud and it’s issues. The multi bay My Cloud units like the My Cloud Mirror may have additional features and options (including additional access options) not found on the single bay/single drive My Cloud units.

Right now WD recommends those devices affected, to disconnect them from the Internet. One way to do so is access one’s local network router and block inbound/outbound traffic to the My Cloud so only local network devices have access and there is no remote access.

1 Like

Thanks Bennor. I do find the subforms confusing.
I have taken your advice and in my router settings have blocked inbound internet access to my NAS.
So with the precautions I listed I am feeling secure again.

So I went into my Plusnet router and to the Access Controls page and it showed me a list of connected equipment including the ‘WDMyCloud Mirror’ plus its MAC address. I chose that to block and it confirmed that ‘WDMyCloud Mirror’ with MAC addres …etc is now blocked.
Excellent I thought cos I did not have to specify an IP address - which can change.
But it could be that the router blocks by IP address but communicates to me what it is doing by using the device name and MAC address. So I would be vulnerable if the IP address changed.
Any thoughts?

It depends on how exactly the router is blocking the traffic. Some routers base the block on the device’s MAC address. Others may do it by IP address. If by MAC address then it shouldn’t matter if the IP address changes the block is being done by MAC address not by IP address. If a router does the block by IP address then one should configure the router to issue a static/reserved IP address to the My Cloud.