Version of Samba in mycloud vulnerable to CVE-2014-3560?

My Cloud OS 3 Personal & Network Attached Storage My Cloud
1

I have a 2TB MyCloud with firmware version v04.01.02-417

When I ssh into the device and run “smbd -V” the samba version is indicated to be 4.0.0rc5.

Unfortunately, 4.0.0rc5 is probably susceptible  a remote code execution vulnerability in nmbd (the netbios name server). Does WD backport security fixes? Having reviewed the available source code it does not appear to be backported, but I may be blind.

Relevant NIST entry for the CVE is here:  http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3560

2

Okay. I’ve reviewed the source for the MyCloud firmware. The patch fixing this bug in samba was commited here:  https://git.samba.org/?p=samba.git;a=commitdiff;h=fb9d8c402614556d7a36f9e9efb72b3f4afe838a.

The bug is unpatched in the current version of MyCloud firmware.

3

 Hello,

Welcome to the WD Community.

Thanks for sharing, we have passed this along to support.