My company uses a vulnerability management product on our network. We recently acquired the product and ran a scan on all of our nodes. The findings for our PR4100 showed numerous vulnerabilities that apparently should have been patched long ago.
We have the latest firmware installed
2.31.204 and after performing an update check, this has been verified
Most of the vulnerabilities are with SMB SAMBA, PHP, and several others. I have included a screen capture of the findings. In the interim I am using our hardware appliance Sonicwall to block further access until Western Digital properly updates the OS on this device
PS I wish to add, I have no Port Forwarding enabled.
Though you can’t see this in the attached image, the vulnerability shows these ports are responding from this device: 3306, 3689, 32000, 9000, 9443 and several others. I suspect PLEX may be using a few of these ports as well as Itunes and DLNA.
SAMBA 3 is enabled hence the vulnerabilities however it if SAMBA patches were implemented on the WD device, these vulnerabilities likely wouldn’t be present.
I also have Cloud Access enabled. Other Server like options are ‘all’ off such as FTP.
Sure, We are an end user and can distribute licenses in SoCal for the Radar product by F-secure. If your internal staff requires a testing license drop me a line, I can get you one 30 day trial at no charge. I can also offer more on each of these vulnerabilities such as the article number, exploitation info and so on.
Thank you for reporting your findings to Western Digital.
WD takes the safe and secure use of our products seriously.
We have forwarded your message to the PSIRT team who will respond to you with a PSIRT case number. In the future, we kindly request that you report all security vulnerabilities to the PSIRT team by following the Product Security Support Process.
Hello - today Oct 28, 2020 I have upgraded to OS 5 for the PR 4100 seamlessly. The amount of High Level vulnerabilities has been significantly reduced from 28 to 3.
Only 3 High Vulnerabilities remain, 2 are via jQuery:
Findings via RADAR:
jQuery - which has reached its end of life: “This version of the jQuery library has reached end-of-life status.” Vendor Info: Active development for version of jQuery library, used in scanned application, has ended. Vendor announced that jQuery 1.x and 2.x branches will no longer receive patches or
updates.
-Solution: Upgrade to the latest version of the jQuery library.
Python:
Python through 2.7.17, 3.5.9, 3.6.10, 3.7.6 and 3.8.1 Regular Expression Denial of Service Vulnerability.
Insight: The remote Python implementation is affected by a denial of service vulnerability.
Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.7, and 3.8
through 3.8.2 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS)
attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic
backtracking. The vulnerability is based on the following retrieved information from 5357/TCP
Solution: Upgrade to the latest Python version. The vendor has prepared a fix for this issue in versions
3.5.10, 3.6.11, 3.7.8 and 3.8.3. Reference: CVE-2020-8492
WD may require proper tools to glean such visibility which will reveal the vulnerabilities. These PR series Consumer based units should be checked regularly for the protection of the end users. The above information is only as of today 10-28-20. Breaches to all software can occur on a regular basis.
My report also shows Medium level, 29 vulnerabilities currently exist. I wish to note this WD OS 5 upgrade is a significant improvement over the OS 3. I have sent a full report to your team via email indicating where the risks lie. Thank you.
Anthony
Thank you for reporting your findings to Western Digital. We take the safe and secure use of our products seriously.
We have evaluated the report you sent to our PSIRT. We are happy to see that the F-secure RADAR scanner has identified fewer issues in OS 5. We believe that these vulnerability scanners don’t always tells us how the functionality is being used in our products and thus may have some false positives from time to time. In our case, we apply Debian 10 “Buster” back-ported security fixes which do not necessarily result in a version number change.
For the issues that pertain to third-party software and libraries such as jQuery, we are working with the vendors to address the concerns.
