News

WD Reponds To Recent My Cloud Vulnerability Disclosure

WD made big headlines with the recent disclosure or no less than 85 exploits in their My Cloud series of NAS devices. The site that found the bugs also disclosed them to the public in order to get WD into gear and fix them and they did so because of WD’s reputation of doing nothing for far too long in situations like that. As example, the vendor won a “Pwnie for Lamest Vendor Response” at the last BlackHat conference in Vegas in a situation where the vendor ignored the severity of a set of bugs reported to them.

Now WD has come out with an official response on the issue and they have promised a fix for them. Let us all hope that the do so quickly. The response is quite typical in these type of situations and they naturally blame the site publishing the information for the risk their users are at now. Then again, the code shown was so sloppy written, it should never have been released. Especially not from a company with as long a history in storage as WD has.

You can read the full response below. For now, it’s still highly recommended that you disconnect any internet connection to your WD My Cloud NAS. A list of affected models can be found at the bottom of this article.

Western Digital is aware of recent reporting of vulnerabilities in its My Cloud family of products, including related to vulnerabilities previously reported by Steven Campbell that were addressed with the firmware update made available on December 20, 2016. We are reviewing the recent exploitee.rs report and based on a preliminary evaluation, a change to address one exploitee.rs reported issue has already been made in the December update. Additionally, if we determine the report has identified any new issues, we will address those soon based on the severity of the issues, the existence, if any, of ongoing attacks, and the potential customer disruption of an unscheduled update. We recommend My Cloud users contact our Customer Service team if they have further questions; find firmware updates; and ensure their My Cloud devices are set to enable automatic firmware updates.

Western Digital appreciates and encourages disclosure of potential vulnerabilities uncovered by security researchers such as Steven Campbell under the responsible disclosure model practised by the security community. This balanced model acknowledges the contributions of security researchers, allows Western Digital to properly investigate and resolve concerns, and most importantly protects our customers from disclosure of exploits before a patch is available. As evidenced by our work with various researchers such as Steven Campbell, Vesprite and others, we work closely with the security community to address issues and safely meet our customers’ needs. If exploitee.rs had followed this model as other security researchers have and contacted us with that spirit in mind prior to publishing their report, they would have known of our current work and progress toward a resolution in this case.

Affected WD My Cloud Models:

  • My Cloud
  • My Cloud Gen 2
  • My Cloud Mirror
  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud EX2 Ultra
  • My Cloud EX2
  • My Cloud EX4
  • My Cloud EX2100
  • My Cloud EX4100
  • My Cloud DL2100
  • My Cloud DL4100
Bohs Hansen

Disqus Comments Loading...

Recent Posts

Crucial Launches 14,500 MB/s T705 Gen 5 SSD With Capacity Up To 4TB

SSD's, like most other tech, is getting faster and faster, so fast in fact that…

10 hours ago

Chinese Moore Threads Entry Level MTT S30 GPU Now Supported By Drivers

Chinese Moore Threads have caught a strong bit of attention from PC enthusiasts, mostly due…

12 hours ago

MSI MAG Z790 TOMAHAWK WIFI

CPUIntel Socket LGA1700 for 13th Gen Intel Core Processors & 12th Gen Intel Core, Pentium…

12 hours ago

Acer Predator Helios Neo 16 NVIDIA RTX 4060 16GB, 16″ WQXGA 165Hz

When you brandish this gaming laptop, you’re holding the key to unlocking your ambitions –…

12 hours ago

Varmilo VEA109 CMYK Gaming Keyboard

110% mechanical keyboard with 109 keys in a UK ISO layout V-silk PBT keycaps with…

12 hours ago

LG 45″ UltraGear 45GR95QE-B 3440×1440 OLED 240Hz

The Display: 45" 21:9 Curved (800R) monitor Gamer-centric design Tilt / height / swivel adjustable…

12 hours ago