News

WD Reponds To Recent My Cloud Vulnerability Disclosure

WD made big headlines with the recent disclosure or no less than 85 exploits in their My Cloud series of NAS devices. The site that found the bugs also disclosed them to the public in order to get WD into gear and fix them and they did so because of WD’s reputation of doing nothing for far too long in situations like that. As example, the vendor won a “Pwnie for Lamest Vendor Response” at the last BlackHat conference in Vegas in a situation where the vendor ignored the severity of a set of bugs reported to them.

Now WD has come out with an official response on the issue and they have promised a fix for them. Let us all hope that the do so quickly. The response is quite typical in these type of situations and they naturally blame the site publishing the information for the risk their users are at now. Then again, the code shown was so sloppy written, it should never have been released. Especially not from a company with as long a history in storage as WD has.

You can read the full response below. For now, it’s still highly recommended that you disconnect any internet connection to your WD My Cloud NAS. A list of affected models can be found at the bottom of this article.

Western Digital is aware of recent reporting of vulnerabilities in its My Cloud family of products, including related to vulnerabilities previously reported by Steven Campbell that were addressed with the firmware update made available on December 20, 2016. We are reviewing the recent exploitee.rs report and based on a preliminary evaluation, a change to address one exploitee.rs reported issue has already been made in the December update. Additionally, if we determine the report has identified any new issues, we will address those soon based on the severity of the issues, the existence, if any, of ongoing attacks, and the potential customer disruption of an unscheduled update. We recommend My Cloud users contact our Customer Service team if they have further questions; find firmware updates; and ensure their My Cloud devices are set to enable automatic firmware updates.

Western Digital appreciates and encourages disclosure of potential vulnerabilities uncovered by security researchers such as Steven Campbell under the responsible disclosure model practised by the security community. This balanced model acknowledges the contributions of security researchers, allows Western Digital to properly investigate and resolve concerns, and most importantly protects our customers from disclosure of exploits before a patch is available. As evidenced by our work with various researchers such as Steven Campbell, Vesprite and others, we work closely with the security community to address issues and safely meet our customers’ needs. If exploitee.rs had followed this model as other security researchers have and contacted us with that spirit in mind prior to publishing their report, they would have known of our current work and progress toward a resolution in this case.

Affected WD My Cloud Models:

  • My Cloud
  • My Cloud Gen 2
  • My Cloud Mirror
  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud EX2 Ultra
  • My Cloud EX2
  • My Cloud EX4
  • My Cloud EX2100
  • My Cloud EX4100
  • My Cloud DL2100
  • My Cloud DL4100
Bohs Hansen

Disqus Comments Loading...

Recent Posts

AMD Adrenalin 22.5.2 – Game Ready for Sniper Elite 5 & Ray Tracing For Hitman 3!

AMD has announced the release of its latest Radeon Adrelanlin 22.5.2 graphics card drivers and…

2 hours ago

MSI Project ZERO Motherboard Leaks Appearing to Show ‘Cableless’ Design

There has been a definite trend in recent years for motherboard manufacturers to look to…

2 hours ago

Nvidia GeForce 512.95 – Game Ready for Sniper Elite 5 & Hitman 3’s Ray Tracing!

Attention Nvidia graphics card owners! - Yes, I'm afraid it's that time (yet again) when…

2 hours ago

AMD Confirms its New Upcoming ‘Raise the Game’ Radeon 6000 Bundle Titles!

Every six months, give or take, AMD usually looks to update the titles offered as…

2 hours ago

EA Games May Be Up for Sale – Why This Crazy Rumour MIGHT Be True!

I think it would be fair to say that EA doesn't have the best reputation…

2 hours ago

The Lord of the Rings: Gollum Confirmed for September 1st Release!

In early 2019, Daedalic Entertainment confirmed the development of The Lord of the Rings: Gollum.…

2 hours ago