Headline
CVE-2022-22991: WDC-22002 My Cloud OS 5 Firmware 5.19.117 | Western Digital
A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP.
WDC Tracking Number: WDC-22002
Published: January 13, 2022
Last Updated: January 13, 2022
Description
My Cloud OS 5 Firmware 5.19.117 includes updates to help improve the security of your My Cloud OS 5 devices.
Product Impact
Minimum Fix Version
Last Updated
My Cloud PR2100
5.19.117
January 10, 2022
My Cloud PR4100
5.19.117
January 10, 2022
My Cloud EX4100
5.19.117
January 10, 2022
My Cloud EX2 Ultra
5.19.117
January 10, 2022
My Cloud Mirror Gen 2
5.19.117
January 10, 2022
My Cloud DL2100
5.19.117
January 10, 2022
My Cloud DL4100
5.19.117
January 10, 2022
My Cloud EX2100
5.19.117
January 10, 2022
My Cloud
5.19.117
January 10, 2022
WD Cloud
5.19.117
January 10, 2022
For more information on the latest security updates, see the release notes: https://os5releasenotes.mycloud.com/#/
Advisory Summary
A flaw was discovered in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to gain potential privilege escalation. Addressed this vulnerability by updating Debian (buster) version to 2:4.9.5+dfsg-5+deb10u2.
A use-after-free vulnerability was found in the International Components for Unicode (ICU) library which could result in denial of service or potentially the execution of arbitrary code. Addressed this vulnerability by updating the Debian (buster) version to 63.1-6+deb10u2.
CVE Number: CVE-2020-21913
A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP.
CVE Number: CVE-2022-22991
Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative
My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service. Addressed the vulnerability by adding defenses against stack overflow issues.
CVE Number: CVE-2022-22989
A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts.
CVE Number: CVE-2022-22990
Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative