Western Digital My Cloud OS 5, My Cloud Home and SanDisk ibi Firmware Update


WDC Tracking Number: WDC-22020
Product Line/Web:  My Cloud, My Cloud Home,
My Cloud Home Duo, and SanDisk ibi
Published: December 21, 2022

Last Updated: December 21, 2022

Description

Western Digital My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices were vulnerable to an information disclosure that could allow an unauthenticated attacker to gain access to user data. The updated firmware versions noted below include security updates to address this vulnerability.

All My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices will be automatically updated to the latest firmware version.

Users of other My Cloud devices should promptly update to the latest firmware by clicking the firmware update notification to receive the latest security fixes. However, please note that My Cloud users running firmware versions 5.16 and older, will need to refer to this KBA in order to update their devices.

Product Impact
Minimum Fix Version
Last Updated
My Cloud PR2100
5.25.132 or later
December 22, 2022
My Cloud PR4100
5.25.132 or later
December 22, 2022
My Cloud EX4100
5.25.132 or later
December 22, 2022
My Cloud EX2 Ultra
5.25.132 or later
December 22, 2022
My Cloud Mirror G2
5.25.132 or later
December 22, 2022
My Cloud DL2100
5.25.132 or later
December 22, 2022
My Cloud DL4100
5.25.132 or later
December 22, 2022
My Cloud EX2100
5.25.132 or later
December 22, 2022
My Cloud
5.25.132 or later
December 22, 2022
WD Cloud
5.25.132 or later
December 22, 2022
My Cloud Home
8.13.1-102
December 22, 2022
My Cloud Home Duo
8.13.1-102
December 22, 2022
SanDisk ibi
8.13.1-102
December 22, 2022

For more information on the latest security updates, see the following release notes:

My Cloud Devices
My Cloud Home/MyCloud Home Duo/SanDisk ibiDevices

Advisory Summary

The information disclosure issue has been resolved by making changes to the token authentication mechanism.

CVE Number: CVE-2022-29840