Resolved multiple command injection vulnerabilities throughout the web UI, and the Web Admin Dashboard.

Resolved the following cross site request forgery (CSRF) vulnerabilities:

A cross-site request forgery vulnerability was reported where an authenticated admin user could be enticed to visit a crafted website that would perform requests on their demand. Added Cross-Site Request Forgery protection.

Reported by: Remco Vermeulen

A CSRF vulnerability was reported in WD My Cloud where an attacker could use the user’s browser as a proxy to launch a CSRF attack. Implemented REST end point checks to block CSRF attacks.

Reported by: Edith Kain

Resolved multiple CSRF vulnerabilities on the WD My Cloud devices that could further lead to unauthenticated command injections as well as arbitrary file uploads.

Reported by: Fikri Fadzil from SEC Consult Vulnerability Lab

Resolved multiple cross site request forgery vulnerabilities in the WD My Cloud web interface that could allow remote code execution and escalation of privileges.

Reported by: James Bercegay

Resolved multiple cross site request forgeries in storage and settings pages, backup pages and cloud access for My Cloud web interface. Also resolved multiple CSRF issues in the My Cloud app.

Resolved a Linux kernel vulnerability [Dirty Cow]. This allowed a local user to obtain root privileges on a target system.

CVV Number: CVE-2016-5195

Resolved Denial-of-Service vulnerability in the user language preferences settings of the web interface.

Reported by: James Bercegay

An authentication bypass was reported in the WD My Cloud device that provided a user with admin privileges without authenticating. This issue was resolved by blocking SSH shadow information from the web browser view.

Reported by: Remco Vermeulen

The OpenSSH component has been updated to version 7.5p1 to address multiple vulnerabilities.

Reported by: Jacob Ent

Resolved a buffer overflow issue that could lead to unauthenticated access through the use of return-oriented programming (ROP). Added stack canary buffer overflow protection and ensured address space layout randomization (ASLR) was implemented correctly.

Reported by: Remco Vermeulen

The My Cloud operating system was vulnerable to potential brute-force attacks on the Dashboard authentication and SSH service. This made users with weak passwords more susceptible to having their files compromised. Resolved the vulnerability by enhancing security on authentication.

The version of portable SDK for UPnP (Universal Plug and Play) was vulnerable to a number of remote code execution vulnerabilities. Resolved the issue by updating the libupnp component to version 1.6.25.

CVE Number: CVE-2012-5958

Addressed a clickjacking vulnerability in all dashboards by adding X-Frame-Options in webserver and validating SAMEORIGIN is returned.

Resolved the following security issues in the Webfile viewer on-device app:

• A path traversal to restricted directories vulnerability has been addressed in the Webfile viewer (CWE-22)
• Resolved an unrestricted file upload command execution vulnerability in the Webfile viewer. This fix prevents arbitrary command execution and potential compromise of user data (CWE-829)
  

Improved the security of volume mount options. Added secure mount option for user shares. This limits what can be done from the user shares and enhances the security of the device in terms of scripted attacks or naive attacks such as remote exploitation methods or privilege escalation (CWE-275)

Resolved EULA Bypass vulnerability in EX2, EX4, and Mirror Gen1. It was possible for the user to bypass EULA to configure the NAS device without accepting the agreement leading to an improper access control vulnerability (CWE-284)

Improved credential handling for the remote MyCloud-to-MyCloud backup feature. Removed unencrypted credentials in remote backup process preventing credential exposure. Addressed cleartext transmission of sensitive information (CWE-319)

The admin interface of the firmware was running an outdated version of jQuery. jQuery has been updated to version 3.3.1 to address a Cross-Site Scripting (XSS) vulnerability.

CVE Number: CVE-2010-5312

Reported by: Tobias Jakobs

Resolved File-list validation vulnerability in the rsync component which is an open-source utility that provides fast incremental file transfer. It has been updated to version 3.1.3 to address the issue.

CVE Number: CVE-2018-5764

Reported by:  Jacob Ent

WD My Cloud devices provided IPv6 users with admin privileges without authenticating. This IPv6 authentication bypass vulnerability has been fixed to prevent authentication bypass using IPv6 redirects.

CVE Number: CVE-2018-17153

Reported by: Remco Vermeulen

Apache has been updated to version 2.4.34 to address multiple vulnerabilities.

CVE Number: CVE-2018-1301

CVE Number: CVE-2018-1302

CVE Number: CVE-2018-1303

CVE Number: CVE-2018-1312

CVE Number: CVE-2017-15715

The PHP component has been updated to version 5.4.45 to address a number of potential vulnerabilities including buffer over-read, wrong hashes, use-after-free, remote command execution, null pointer dereference and directory traversal.

CVE Number: CVE-2015-6834

CVE Number: CVE-2015-6835

CVE Number: CVE-2015-6836

CVE Number: CVE-2015-6837

CVE Number: CVE-2015-6838

CVE Number: CVE-2014-9767

Resolved an authenticated remote command execution vulnerability in the My Cloud devices.

Reported by: Maor Shwartz