Wonder what spooked WD with releasing update v2.31.174 on the 26th?

#1

As in …

Resolved Authentication bypass vulnerability (CVE-2019-9950)
Resolved Unauthenticated file upload vulnerability (CVE-2019-9951)

These CVE references are presently reserved and the issue fixed undisclosed, which is good that the update has appeared without any public disclosure before a fix. Update installed without a hitch for me.

#2

Something is a bit fishy. When has WD ever been ahead of a vulnerability? Usually they are months to years behind.
Glad your install went without a hitch, you are far more brave than I installing so quickly.

1 Like
#3

Curiouser and Curiouser. My NAS no longer exclaims that there’s a Firmware update. When doing a check using the blue triangle on the Firmware component on the NAS dashboard, it can no longer reach the WD server to update. What are you up to WD?

image

#4

I had same error message. I eventually went to my product’s support page to download the FW and installed it manually via dashboard. I had no issues with it.

#5

In this case the details are not yet released.

Maybe an internal change in policy and/or management? Maybe WD have discovered an issue themselves? Maybe someone has disclosed a problem that so stupidly serious that it can’t be ignored as once released a parrot would be able to upload files remotely and do what they like with a compromised NAS?

The previous version of firmware was only released for manual download and that had significant updates within it.

I still find it mind boggling how one of the past vulnerabilities was some code or program that is generally used in D-Link equipment managed to make its way into a WD NAS and worst still, that program has a hard coded back-door into it! That has since been patched.

It will be interesting to know that write-up is given to the two CVEs that have been addressed.

#6

Interesting. I thought I would do a firmware check from the NAS and I also got that failure to connect to server error, but the previous version did automatically download and install the current firmware.

#7

Things are still weird with this one. NAS sometimes can’t connect to the update server. Sometimes it can and says I’m up-to-date, but I am not. (at ver. 2.31.149).

#8

For what it’s worth and the vulnerabilities that exist in the firmware version you’re using. Manually download the firmware file and apply it to your NAS. If your NAS is not accessible from the Internet and if it is, no port forwarding is used and relaying is used then it’s not that critical.