Headline
CVE-2022-29835: WDC-22014 - WD Discovery Desktop App Version 4.4.396 | Western Digital
WD Discovery software executable files were signed with an unsafe SHA-1 hashing algorithm. An attacker could use this weakness to create forged certificate signatures due to the use of a hashing algorithm that is not collision-free. This could thereby impact the confidentiality of user content. This issue affects: Western Digital WD Discovery WD Discovery Desktop App versions prior to 4.4.396 on Mac; WD Discovery Desktop App versions prior to 4.4.396 on Windows.
Last Updated: September 20, 2022
Description
WD Discovery Desktop App Version 4.4.396 includes updates to help improve the security of your WD software.
Users can download the latest version from the WD Discovery Downloads page or by following the instructions on the WD Discovery: Online User Guide.
Advisory Summary
WD Discovery versions prior to 4.4.396 were installing a Windows 7-compatible driver on Windows 10 systems that prevented the Windows 10 Memory Integrity option from being enabled. Memory integrity is a feature of core isolation that prevents malicious code from accessing high-security processes in the event of an attack. WD Discovery version 4.4.396 addresses this issue by replacing the driver with one that is compatible with Memory Integrity. In either case, old or new driver, there was no impact to normal hard drive operation.
Reported By: Western Digital would like to thank Aaron LeMieux of Microsoft for reporting this issue.
WD Discovery software executable files were signed with an unsafe SHA-1 hashing algorithm. This has been updated to the SHA-256 hashing algorithm to support secure code signing.
CVE Number: CVE-2022-29835