western digital nas backdoor

https://thehackernews.com/2018/01/western-digital-mycloud.html

Wow!

feas Wrote:
-------------------------------------------------------
> https://thehackernews.com/2018/01/western-digital-mycloud.html


I'd bet other NAS also have some vulnerabilities in their FW. But not this bad!

For the techies, we already have:
https://forum.doozan.com/read.php?2,32146

For the normal users out there, the only safe thing to do is disconnecting your WD MyCloud NAS until FW update is available.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)

Holly crap, this is huge

Should also mention the same was found in the D-Link DNS-320L ShareCenter but a later firmware upgrade fixed this. Seems the same developer got around from similarities in the code.

The latest WD firmware for the affected models is supposed to fix these vulnerabilities.

For example the EX2100 has firmware 2.30.172 released in November 2016 which is supposed to fix these vulnerabilities.

But having spent some time working in the WD firmware to try and determine how the Weltrend MCU controlling fan and power functions, and working with their u-boot and firmware source code, I can say it doesn't surprise me. The whole thing is very poor quality. I think they re-used code/designs from other products and shipped it as soon as it worked stable enough to not annoy customers too much.



Edited 1 time(s). Last edit at 01/06/2018 12:27PM by hmartin.

> The whole thing is
> very poor quality. I think they re-used
> code/designs from other products and shipped it as
> soon as it worked stable enough to not annoy
> customers too much.

Zyxel, Seagate, Cloudengine FW are also of poor quality. But WD FW is probably the worst.

-bodhi
===========================
Forum Wiki
bodhi's corner (buy bodhi a beer)