back to article 'I am admin' bug turns WD's My Cloud boxes into Everyone's Cloud

Miscreants can potentially gain admin-level control over Western Digital's My Cloud gear via an HTTP request over the network or internet. Researchers at infosec shop Securify revealed today the vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass …

  1. Korev Silver badge

    Firewall

    This is exactly why my non-WD NAS sits behind a firewall with remote access off.

  2. CrazyOldCatMan Silver badge

    Re: Firewall

    This is exactly why my non-WD NAS sits behind a firewall

    Likewise. And it's also why I use FreeNAS..

  3. Paul Crawford Silver badge

    Re: Firewall

    why I use FreeNAS

    Not to mention it using ZFS with the data checksums and periodic scrubbing to help fix/detect any HDD problems early on.

  4. H in The Hague Silver badge

    Repeating myself

    Now feeling even better about refusing my supplier's kind offer of a cloudy drive and opting for one with local access only than I did when this issue was first reported on El Reg.

  5. Kicker of Metaphorical Cats

    Finally

    I had not been able to get in since 2014 (https://www.theregister.co.uk/2014/04/07/mycloud_still_nixed/).

    All is now right with the world.

  6. ma1010 Silver badge

    Another WD nightmare

    And their customer service is so good (not).

    I was thinking of getting a MyCloud, but I saw another post on El Reg that suggested ownCloud, which sounded interesting. I now have a new project where I'm going to take some old hardware and build my own home NAS with ownCloud - and lock out its IP number at the Internet firewall.

  7. gerdesj Silver badge

    Re: Another WD nightmare

    You might consider NextCloud. Mine is open to the world but securing IT stuff is my day job. If you are not sure then start with getting a VPN running for remote access to home. OpenVPN listening on 443/tcp looks very like a https website which can work nicely on many sites and you can even drill it through many web proxies if needed.

  8. CrazyOldCatMan Silver badge

    Re: Another WD nightmare

    You might consider NextCloud. Mine is open to the world but securing IT stuff is my day job

    Ditto (to both). Add in Lets Encrypt and some fairly tight firewall rules for added oomph.

  9. AlJahom

    Re: Another WD nightmare

    Agree... An OpenVPN Access Server, with Google MFA enabled.

    Nothing else gets inbound.

  10. Anonymous Coward
    Anonymous Coward

    What does 'WD' stand for?

    For me pretty much 'Warranty Died'

  11. Anonymous Coward
    Anonymous Coward

    The Cloud...

    Computers that you own that other people have full control over...

  12. Anonymous Coward
    Anonymous Coward

    Re: The Cloud...

    No, the cloud is....

    someone elses computer, somewhere else that you rent by whichever combination of the hour, cpu cycle, byte of memory or byte of storage that will cost you the most.

  13. EnviableOne Bronze badge

    Re: The Cloud...

    Nah I have my own accronym

    OPT - Other people's Tin

  14. Anonymous Coward
    Anonymous Coward

    Ha ha ha ha ha ha ha ha

    That is all.

  15. Giovani Tapini

    Re: Ha ha ha ha ha ha ha ha

    You must work for WD or you would not have posted as AC.

    Have an upvote for being bang-on.

  16. Anonymous Coward
    Anonymous Coward

    We had a WD device on our network. About a year ago.

    I got the heebie jeebies when it was disclosed how to compromise it that I stole it out from underneath said user's desk and hid it somewhere. Of course there was a big outcry, but I kept schtum, because I did not want it back on the network, and they will not understand the reason why.

    Now I'm glad I did so. One of the trickses us BOFH's had to do.

    AC because.

  17. Stevie Silver badge

    Bah!

    All your ripped movie are belong to lightbulb.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2018