WDC Tracking Number: WDC-22002
Published: January 13, 2022
Last Updated: January 31, 2022
My Cloud OS 5 Firmware 5.19.117 includes updates to help improve the security of your My Cloud OS 5 devices.
For more information on the latest security updates, see the release notes: https://os5releasenotes.mycloud.com/#/
A flaw was discovered in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to gain potential privilege escalation. Addressed this vulnerability by updating Debian (buster) version to 2:4.9.5+dfsg-5+deb10u2.
CVE Number: CVE-2020-25717
A use-after-free vulnerability was found in the International Components for Unicode (ICU) library which could result in denial of service or potentially the execution of arbitrary code. Addressed this vulnerability by updating the Debian (buster) version to 63.1-6+deb10u2.
CVE Number: CVE-2020-21913
A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP.
My Cloud OS 5 was vulnerable to a pre-authenticated stack overflow vulnerability on the FTP service. Addressed the vulnerability by adding defenses against stack overflow issues.
CVE Number: CVE-2022-22989
A limited authentication bypass vulnerability was discovered that could allow an attacker to achieve remote code execution and escalate privileges on the My Cloud devices. Addressed this vulnerability by changing access token validation logic and rewriting rule logic on PHP scripts.