I have discovered the following security vulnerabilities (and the recommended fixes) on my new WD MyCloud Home device
Samba 4.13.x < 4.13.17 / 4.14.x < 4.14.12 / 4.15.x < 4.15.5 Multiple Vulnerabilities - Upgrade to Samba version 4.13.17, 4.14.12, or 4.15.5 or later
Samba Badlock Vulnerability - Upgrade to Samba version 4.2.11 / 4.3.8 / 4.4.2 or later
SSL Medium Strength Cipher Suites Supported (SWEET32) - Reconfigure the affected application if possible to avoid use of medium strength ciphers.
SSL Certificate Cannot Be Trusted - Purchase or generate a proper SSL certificate for this service.
Microsoft Windows SMB Shares Unprivileged Access - To restrict access under Windows, open Explorer, do a right click on each share, go to the ‘sharing’ tab, and click on ‘permissions’.
Microsoft Windows SMB Shares Unprivileged Access - To restrict access under Windows, open Explorer, do a right click on each share, go to the ‘sharing’ tab, and click on ‘permissions’.
These are all High Security Risks and need to remediated immediately.
Can someone/WD please let me know when these vulnerabilities will be resolved and also if there is anything I (we) can do to resolve these issues ourselves.
If you registered more than 8 years ago you should already know that currently no home type NAS support anything much beyond samba 4.10, not Synology and not WDC, although some patch are available individually for each build of DSM or OS 5. Being a OS 4 system, the MCH is pretty much an odd ball Android hybrid OS and it is the primarily reason it lags so far behind in up to date patch for CVEs because of the lack of samba support for Android. MCH is a home machine and it relies on the file level authentication of the kddfs in the private user space for security. WDC does not advice users to store data on the samba drive other than Windows backup and MacOS TM.
If your primary concern is for samba compatibility and security, you should return your new My Cloud Home and find something else.
Important:
The My Cloud Home Public Share is designed and implemented for Windows File Backup. It is not designed for local LAN storage access. Although is can be accessed on Windows and macOS, it was not designed to be used as local LAN storage. Please use WD Discovery and the User Private Space for your My Cloud Home content storage needs.
Thank you for posting your concerns regarding potential security vulnerabilities on your My Cloud Home device. Our Product Security Incident Response Team (PSIRT) (psirt@wdc.com) will be reaching out to you directly to assist with this matter. In the future, we kindly request you report the details directly to our PSIRT team by following the process found on our product security page found here: Product Security | Western Digital