WDC Tracking Number: WDC-23002
Product Line: My Cloud
Published: January 10, 2023
Last Updated: March 29, 2023
My Cloud OS 5 Firmware 5.26.119 includes updates to help improve the security of your My Cloud OS 5 devices.
To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.
For more information on the latest security updates, see the release notes.
Addressed a remote code execution vulnerability that was caused by a command that read files from a privileged location and created a system command without sanitizing the read data. This command could be triggered by an attacker remotely to cause code execution and gain a reverse shell.
CVE Number: CVE-2022-29841
Reported By: Claroty Research, Team82 - Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative
Addressed a command injection vulnerability that could allow an attacker to execute code in the context of the root user on a vulnerable CGI file.
CVE Number: CVE-2022-29842
Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative
Addressed a vulnerability in the DDNS service configuration that could allow an attacker to execute code in the context of the root user.
CVE Number: CVE-2022-29843
Reported by: rskvp93 and biennd4 (from VcsLab of Viettel Cyber Security) working with Trend Micro Zero Day Initiative.
Addressed a memory corruption vulnerability in the FTP service that could allow an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker.
CVE Number: CVE-2022-29844
Reported by: Luca MORO (@johncool__) - email@example.com working with Trend Micro Zero Day Initiative.