Headline
CVE-2022-29842: WDC-23002 My Cloud Firmware Version 5.26.119 | Western Digital
Improper Neutralization of Special Elements used in a Command (‘Command Injection’) vulnerability that could allow an attacker to execute code in the context of the root user on a vulnerable CGI file was discovered in Western Digital My Cloud OS 5 devicesThis issue affects My Cloud OS 5: through 5.26.119.
WDC Tracking Number: WDC-23002
Product Line: My Cloud
Published: January 10, 2023
Last Updated: January 10, 2023
Description
My Cloud OS 5 Firmware 5.26.119 includes updates to help improve the security of your My Cloud OS 5 devices.
To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.
Product Impact
Minimum Fix Version
Last Updated
My Cloud PR2100
5.26.119
January 10, 2023
My Cloud PR4100
5.26.119
January 10, 2023
My Cloud EX4100
5.26.119
January 10, 2023
My Cloud EX2 Ultra
5.26.119
January 10, 2023
My Cloud Mirror G2
5.26.119
January 10, 2023
My Cloud DL2100
5.26.119
January 10, 2023
My Cloud DL4100
5.26.119
January 10, 2023
My Cloud EX2100
5.26.119
January 10, 2023
My Cloud
5.26.119
January 10, 2023
WD Cloud
5.26.119
January 10, 2023
For more information on the latest security updates, see the release notes.
Advisory Summary
Addressed a remote code execution vulnerability that was caused by a command that read files from a privileged location and created a system command without sanitizing the read data. This command could be triggered by an attacker remotely to cause code execution and gain a reverse shell.
CVE Number: CVE-2022-29841
Addressed a command injection vulnerability that could allow an attacker to execute code in the context of the root user on a vulnerable CGI file.
CVE Number: CVE-2022-29842
Addressed a vulnerability in the DDNS service configuration that could allow an attacker to execute code in the context of the root user.
CVE Number: CVE-2022-29843
Reported by: rskvp93 and biennd4 (from VcsLab of Viettel Cyber Security) working with Trend Micro Zero Day Initiative.
Addressed a memory corruption vulnerability in the FTP service that could allow an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker.
CVE Number: CVE-2022-29844
Reported by: Luca MORO (@johncool__) - [email protected] with Trend Micro Zero Day Initiative.
Related news
A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker.
A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker.
A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker.
A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker.