Western Digital has just released an hotfix firmware update to resolve the authentication bypass vulnerability (CVE-2018-17153) that had remained unpatched in My Cloud NAS devices for over a year.
This vulnerability allowed anyone to bypass authentication and get administrative access to the router. Once an attacker gains access to a router, they can flash it with customer firmware, change DNS to point users to phishing sites, or perform other malicious activities.
After wide media coverage, Western Digital stated that they would be working on a fix for this vulnerability. Western Digital today posted to the BleepingComputer tweet about the unpatched vulnerability and has stated that a hotfix has been released.
Hi, just a heads up, the recently reported vulnerability in the My Cloud firmware has been addressed with a user-installable hotfix found here: https://t.co/uplC38HOdt This will be included in an over-the-air update as part of the normal upgrade schedule for these product
— Western Digital (@westerndigital) September 21, 2018
For those using Western Digital My Cloud NAS devices, you can download the appropriate firmware update from the following list:
Firmware Download
- My Cloud FW 2.30.196
- My Cloud Mirror Gen2 FW 2.30.196
- My Cloud EX2 Ultra FW 2.30.196
- My Cloud EX2100 FW 2.30.196
- My Cloud EX4100 FW 2.30.196
- My Cloud DL2100 FW 2.30.196
- My Cloud DL4100 FW 2.30.196
- My Cloud PR2100 FW 2.30.196
- My Cloud PR4100 FW 2.30.196
Instructions on how to install the firmware update can be found in this security notice.
Comments
jymbrittain - 5 years ago
That's fine for devices with the v2 firmware. There are devices out there remain unpatched with v4 firmware. They need to keep the cloud setting turned off or unplugged from the 'net until it's fixed