Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36330: WDC-23003 Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi Firmware Version 9.4.0-191 | Western Digital

A buffer overflow vulnerability was discovered on firmware version validation that could lead to an unauthenticated remote code execution in Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices. An attacker would require exploitation of another vulnerability to raise their privileges in order to exploit this buffer overflow vulnerability.

This issue affects My Cloud Home and My Cloud Home Duo: through 9.4.0-191; ibi: through 9.4.0-191.

CVE
#vulnerability#dos#git#rce#buffer_overflow#auth

WDC Tracking Number: WDC-23003
Product Line: My Cloud Home, My Cloud Home Duo, and SanDisk ibi
Published: February 13, 2023

Last Updated: February 13, 2023

Description

Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi firmware versions 9.4.0-191 and higher include updates to help improve the security of your devices.

Your devices will be automatically updated to reflect the latest firmware version.

Product Impact

Minimum Fix Version

Last Updated

My Cloud Home

9.4.0-191

February 8, 2023

My Cloud Home Duo

9.4.0-191

February 8, 2023

SanDisk ibi

9.4.0-191

February 8, 2023

For more information on the latest security updates, see the release notes.

Advisory Summary

Addressed an uncontrolled resource consumption issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted.

CVE Number: CVE-2022-36326

Addressed a path traversal vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution.

CVE Number: CVE-2022-36327

Addressed a path traversal vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations.

CVE Number: CVE-2022-36328

Addressed an improper privilege management issue that could allow an attacker to cause a denial of service over the OTA mechanism.

CVE Number: CVE-2022-36329

Addressed a buffer overflow vulnerability on firmware version validation that could lead to an unauthenticated remote code execution.

CVE Number: CVE-2022-36330

Related news

SMB Edge Devices Walloped With Asus, Zyxel Patch Warnings

A slew of critical advisories this week showcase an exploding edge device attack surface for SMBs, which have limited cybersecurity protection, visibility, and maintenance available.

CVE-2022-29840: WDC-23006 My Cloud Firmware Version 5.26.202 | Western Digital

Server-Side Request Forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback adapter was addressed in Western Digital My Cloud OS 5 devices. This could allow the URL to exploit other vulnerabilities on the local server.This issue affects My Cloud OS 5 devices before 5.26.202.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907