WDC Tracking Number: WDC-22020
Product Line/Web: My Cloud, My Cloud Home,
My Cloud Home Duo, and SanDisk ibi
Published: December 21, 2022
Last Updated: March 23, 2023
Western Digital My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices were vulnerable to an impersonation attack that could allow an unauthenticated attacker to gain access to user data.
The updated firmware versions noted below include security updates to address these vulnerabilities. Starting March 23, 2023, devices with vulnerable firmware will not be able to connect to cloud services.
All My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices have been or will be automatically updated to the latest firmware version. Cloud access will not be available until your My Cloud Home/My Cloud Home Duo/SanDisk ibi device has been updated to firmware version 8.13.1-102 or above. Please refer to this KBA.
Users of other My Cloud devices should promptly update to the latest firmware by clicking the firmware update notification to receive the latest security fixes. Cloud access will not be available until your My Cloud device has been updated to firmware version 5.25.132 or above. Please refer to this KBA.
The impersonation attack issue has been resolved by making changes to the token authentication mechanism. Changes were made to ensure that the device no longer accepts a proxy connection without a proper device token.
CVE Number: CVE-2022-36331
Reported By: Claroty Research, Team82 – Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative