WDC Tracking Number: WDC-20009
Published: November 23, 2020
Last Updated: November 23, 2020
My Cloud OS 5 was vulnerable to an authentication bypass vulnerability. My Cloud Firmware 5.06.115 contains updates to resolve this vulnerability and help improve the security of your My Cloud devices.
For more information on the latest security updates, see the release notes: https://os5releasenotes.mycloud.com/#/
Addressed a NAS Admin authentication bypass vulnerability that could allow an unauthenticated user to execute privileged commands on the device. The vulnerability was addressed through enhanced validation of URI paths.
Hardened the operating system by removing an upload endpoint that could be used by an authenticated administrator to upload executable PHP scripts.
CVE Number: CVE-2020-28970
Reported by: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative