Recently, security researcher Securify published an authentication bypass vulnerability for Western Digital My Cloud products (My Cloud Home is exempt from the vulnerability). The vulnerability has been unpatched for over a year and was originally discovered by security researcher Remco Vermeulen.
The vulnerability requires an attacker to already have access to a My Cloud owner’s local network or the My Cloud owner would have had to change factory settings in Dashboard Cloud Access allowing additional remote access to the My Cloud device.
Models with Dashboard Cloud Access:
- My Cloud EX2
- My Cloud EX4
- My Cloud EX2100
- My Cloud EX4100
- My Cloud EX2 Ultra
- My Cloud DL2100
- My Cloud DL4100
- My Cloud PR2100
- My Cloud PR4100
- My Cloud Mirror
- My Cloud Mirror Gen 2
Dashboard Cloud Access: The Dashboard Cloud Access feature is available under Settings->General->Cloud Access.
Port Forwarding: Port forwarding of HTTP connections should be disabled on the My Cloud device and the router. On My Cloud devices the port-forwarding feature is available under Settings->Network->Port Forwarding and can be used only if the connected router supports uPnP.
Western Digital My Cloud devices containing firmware before 2.30.196 are affected.
This has been assigned CVE number – CVE-2018-17153
Hi, just a heads up, the recently reported vulnerability in the My Cloud firmware has been addressed with a user-installable hotfix found here: https://t.co/uplC38HOdt This will be included in an over-the-air update as part of the normal upgrade schedule for these product
— Western Digital (@westerndigital) 21 September 2018
The patch will also be included in an over-the-air (OTA) update in the standard MyCloud firmware upgrade schedule.
Download the fix here – https://support.wdc.com/knowledgebase/answer.aspx?ID=25952&s