Western Digital
Security researcher James Bercegay informed Western Digital about this gap in mid-2017. After half a year, the time has elapsed, which Western Digital (on its own request) has received, on GulfTech all the details and a proof-of-concept exploit have been published (via TechSpot ). However, WD has not been able to deliver a fix so far. And it is questionable whether WD can do something about it because the back door is “hard-coded” and can not be deactivated by software. This means that a given combination of username and password grants access to any of the affected My Cloud storage without exception. The access is also comprehensive because the admin gets shell access and can thus also execute all imaginable commands.Incidentally, the models of the MyCloud 04.X series and MyCloud devices with firmware 2.30.174 are not affected.
The Affected WD Products:
- MyCloud
- MyCloudMirror
- My Cloud Gen 2
- My Cloud PR2100
- My Cloud PR4100
- My Cloud EX2 Ultra
- My Cloud EX2
- My Cloud EX4
- My Cloud EX2100
- My Cloud EX4100
- My Cloud DL2100
- My Cloud DL4100