News

WD Reponds To Recent My Cloud Vulnerability Disclosure

WD made big headlines with the recent disclosure or no less than 85 exploits in their My Cloud series of NAS devices. The site that found the bugs also disclosed them to the public in order to get WD into gear and fix them and they did so because of WD’s reputation of doing nothing for far too long in situations like that. As example, the vendor won a “Pwnie for Lamest Vendor Response” at the last BlackHat conference in Vegas in a situation where the vendor ignored the severity of a set of bugs reported to them.

Now WD has come out with an official response on the issue and they have promised a fix for them. Let us all hope that the do so quickly. The response is quite typical in these type of situations and they naturally blame the site publishing the information for the risk their users are at now. Then again, the code shown was so sloppy written, it should never have been released. Especially not from a company with as long a history in storage as WD has.

You can read the full response below. For now, it’s still highly recommended that you disconnect any internet connection to your WD My Cloud NAS. A list of affected models can be found at the bottom of this article.

Western Digital is aware of recent reporting of vulnerabilities in its My Cloud family of products, including related to vulnerabilities previously reported by Steven Campbell that were addressed with the firmware update made available on December 20, 2016. We are reviewing the recent exploitee.rs report and based on a preliminary evaluation, a change to address one exploitee.rs reported issue has already been made in the December update. Additionally, if we determine the report has identified any new issues, we will address those soon based on the severity of the issues, the existence, if any, of ongoing attacks, and the potential customer disruption of an unscheduled update. We recommend My Cloud users contact our Customer Service team if they have further questions; find firmware updates; and ensure their My Cloud devices are set to enable automatic firmware updates.

Western Digital appreciates and encourages disclosure of potential vulnerabilities uncovered by security researchers such as Steven Campbell under the responsible disclosure model practised by the security community. This balanced model acknowledges the contributions of security researchers, allows Western Digital to properly investigate and resolve concerns, and most importantly protects our customers from disclosure of exploits before a patch is available. As evidenced by our work with various researchers such as Steven Campbell, Vesprite and others, we work closely with the security community to address issues and safely meet our customers’ needs. If exploitee.rs had followed this model as other security researchers have and contacted us with that spirit in mind prior to publishing their report, they would have known of our current work and progress toward a resolution in this case.

Affected WD My Cloud Models: