CVE-2022-36330: WDC-23003 Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi Firmware Version 9.4.0-191 | Western Digital

WDC Tracking Number: WDC-23003
Product Line: My Cloud Home, My Cloud Home Duo, and SanDisk ibi
Published: February 13, 2023

Last Updated: February 13, 2023

Description

Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi firmware versions 9.4.0-191 and higher include updates to help improve the security of your devices.

Your devices will be automatically updated to reflect the latest firmware version.

Product Impact

Minimum Fix Version

Last Updated

My Cloud Home

9.4.0-191

February 8, 2023

My Cloud Home Duo

9.4.0-191

February 8, 2023

SanDisk ibi

9.4.0-191

February 8, 2023

For more information on the latest security updates, see the release notes.

Advisory Summary

Addressed an uncontrolled resource consumption issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted.

CVE Number: CVE-2022-36326

Addressed a path traversal vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution.

CVE Number: CVE-2022-36327

Addressed a path traversal vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations.

CVE Number: CVE-2022-36328

Addressed an improper privilege management issue that could allow an attacker to cause a denial of service over the OTA mechanism.

CVE Number: CVE-2022-36329

Addressed a buffer overflow vulnerability on firmware version validation that could lead to an unauthenticated remote code execution.

CVE Number: CVE-2022-36330