Version of Samba in mycloud vulnerable to CVE-2014-3560?

greekpub · January 28, 2015, 3:26pm

I have a 2TB MyCloud with firmware version v04.01.02-417

When I ssh into the device and run “smbd -V” the samba version is indicated to be 4.0.0rc5.

Unfortunately, 4.0.0rc5 is probably susceptible a remote code execution vulnerability in nmbd (the netbios name server). Does WD backport security fixes? Having reviewed the available source code it does not appear to be backported, but I may be blind.

Relevant NIST entry for the CVE is here: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3560

greekpub · January 28, 2015, 5:28pm

Okay. I’ve reviewed the source for the MyCloud firmware. The patch fixing this bug in samba was commited here: https://git.samba.org/?p=samba.git;a=commitdiff;h=fb9d8c402614556d7a36f9e9efb72b3f4afe838a.

The bug is unpatched in the current version of MyCloud firmware.

ERmorel · January 28, 2015, 9:05pm

Hello,

Welcome to the WD Community.

Thanks for sharing, we have passed this along to support.

Topic		Replies	Views
Samba vulnerability CVE-2015-0240 My Cloud OS 3	1	1217	February 24, 2015
New Release - My Cloud Firmware Versions 4.05.00-320 (11/28/17) & 2.30.181 (01/12/18) My Cloud OS 3	6	15898	October 19, 2018
Security?! why is the latest firmware so full of unpatched vulnerabilities? My Cloud OS 3	6	1638	November 30, 2019
New Release - My Cloud Firmware Version 04.05.00-334 (03/12/2019) My Cloud OS 3	24	14745	December 16, 2019
Firmware Update for a Security Vulnerability regarding samba service (CVE-2017-7494)? My Book Live	5	1690	June 2, 2017

Version of Samba in mycloud vulnerable to CVE-2014-3560?

Related topics