Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-29844: WDC-23002 My Cloud Firmware Version 5.26.119 | Western Digital

A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker.

CVE
#vulnerability#git#rce#zero_day

WDC Tracking Number: WDC-23002
Product Line: My Cloud
Published: January 10, 2023

Last Updated: January 10, 2023

Description

My Cloud OS 5 Firmware 5.26.119 includes updates to help improve the security of your My Cloud OS 5 devices.

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

Product Impact

Minimum Fix Version

Last Updated

My Cloud PR2100

5.26.119

January 10, 2023

My Cloud PR4100

5.26.119

January 10, 2023

My Cloud EX4100

5.26.119

January 10, 2023

My Cloud EX2 Ultra

5.26.119

January 10, 2023

My Cloud Mirror G2

5.26.119

January 10, 2023

My Cloud DL2100

5.26.119

January 10, 2023

My Cloud DL4100

5.26.119

January 10, 2023

My Cloud EX2100

5.26.119

January 10, 2023

My Cloud

5.26.119

January 10, 2023

WD Cloud

5.26.119

January 10, 2023

For more information on the latest security updates, see the release notes.

Advisory Summary

Addressed a remote code execution vulnerability that was caused by a command that read files from a privileged location and created a system command without sanitizing the read data. This command could be triggered by an attacker remotely to cause code execution and gain a reverse shell.

CVE Number: CVE-2022-29841

Addressed a command injection vulnerability that could allow an attacker to execute code in the context of the root user on a vulnerable CGI file.

CVE Number:  CVE-2022-29842

Addressed a vulnerability in the DDNS service configuration that could allow an attacker to execute code in the context of the root user.

CVE Number: CVE-2022-29843

Reported by: rskvp93 and biennd4 (from VcsLab of Viettel Cyber Security) working with Trend Micro Zero Day Initiative.

Addressed a memory corruption vulnerability in the FTP service that could allow an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker.

CVE Number: CVE-2022-29844

Reported by: Luca MORO (@johncool__) - [email protected] with Trend Micro Zero Day Initiative.

Related news

CVE-2022-29842: WDC-23002 My Cloud Firmware Version 5.26.119 | Western Digital

Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability that could allow an attacker to execute code in the context of the root user on a vulnerable CGI file was discovered in Western Digital My Cloud OS 5 devicesThis issue affects My Cloud OS 5: through 5.26.119.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907