WDC Tracking Number: WDC-19005
Published: August 6, 2019
Last Updated: August 6, 2019
My Cloud Firmware 2.31.193 includes multiple updates to help improve the security of your My Cloud devices.
Resolved a directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 that could allow remote attackers to point to files outside the current working directory via a symlink.
A vulnerability was resolved in the automount feature of the My Cloud OS that could allow access to the contents of encrypted disks without knowledge of the passphrase.
Improved SSH login configuration by disabling the “root” user.
Added TLS to firmware and app update checks and downloads. It was added to ensure that files could not be tampered with while in transit by verifying the signature of these downloads and updates.
Addressed a privilege escalation vulnerability in the REST API. This vulnerability allowed a user to escalate their own privileges and communicate with all end points of the API at an administrator level. An attacker could thereby potentially compromise all privilege levels.