Headline
CVE-2022-36330: WDC-23003 Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi Firmware Version 9.4.0-191 | Western Digital
A buffer overflow vulnerability was discovered on firmware version validation that could lead to an unauthenticated remote code execution in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices. An attacker would require exploitation of another vulnerability to raise their privileges in order to exploit this buffer overflow vulnerability.
This issue affects My Cloud Home and My Cloud Home Duo: through 9.4.0-191; ibi: through 9.4.0-191.
WDC Tracking Number: WDC-23003
Product Line: My Cloud Home, My Cloud Home Duo, and SanDisk ibi
Published: February 13, 2023
Last Updated: February 13, 2023
Description
Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi firmware versions 9.4.0-191 and higher include updates to help improve the security of your devices.
Your devices will be automatically updated to reflect the latest firmware version.
Product Impact
Minimum Fix Version
Last Updated
My Cloud Home
9.4.0-191
February 8, 2023
My Cloud Home Duo
9.4.0-191
February 8, 2023
SanDisk ibi
9.4.0-191
February 8, 2023
For more information on the latest security updates, see the release notes.
Advisory Summary
Addressed an uncontrolled resource consumption issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted.
CVE Number: CVE-2022-36326
Addressed a path traversal vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution.
CVE Number: CVE-2022-36327
Addressed a path traversal vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations.
CVE Number: CVE-2022-36328
Addressed an improper privilege management issue that could allow an attacker to cause a denial of service over the OTA mechanism.
CVE Number: CVE-2022-36329
Addressed a buffer overflow vulnerability on firmware version validation that could lead to an unauthenticated remote code execution.
CVE Number: CVE-2022-36330
Related news
A slew of critical advisories this week showcase an exploding edge device attack surface for SMBs, which have limited cybersecurity protection, visibility, and maintenance available.
Server-Side Request Forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback adapter was addressed in Western Digital My Cloud OS 5 devices. This could allow the URL to exploit other vulnerabilities on the local server.This issue affects My Cloud OS 5 devices before 5.26.202.