Western Digital My Cloud OS 5, My Cloud Home and SanDisk ibi Firmware Update


WDC Tracking Number: WDC-22020
Product Line/Web:  My Cloud, My Cloud Home,
My Cloud Home Duo, and SanDisk ibi
Published: December 21, 2022

Last Updated: March 23, 2023

Description

Western Digital My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices were vulnerable to an impersonation attack that could allow an unauthenticated attacker to gain access to user data.

The updated firmware versions noted below include security updates to address these vulnerabilities. Starting March 23, 2023, devices with vulnerable firmware will not be able to connect to cloud services.

All My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices have been or will be automatically updated to the latest firmware version. Cloud access will not be available until your My Cloud Home/My Cloud Home Duo/SanDisk ibi device has been updated to firmware version 8.13.1-102 or above. Please refer to this KBA.

Users of other My Cloud devices should promptly update to the latest firmware by clicking the firmware update notification to receive the latest security fixes. Cloud access will not be available until your My Cloud device has been updated to firmware version 5.25.132 or above. Please refer to this KBA.

Product Impact
Minimum Fix Version
Last Updated
My Cloud PR2100
5.25.132 or later
December 22, 2022
My Cloud PR4100
5.25.132 or later
December 22, 2022
My Cloud EX4100
5.25.132 or later
December 22, 2022
My Cloud EX2 Ultra
5.25.132 or later
December 22, 2022
My Cloud Mirror G2
5.25.132 or later
December 22, 2022
My Cloud DL2100
5.25.132 or later
December 22, 2022
My Cloud DL4100
5.25.132 or later
December 22, 2022
My Cloud EX2100
5.25.132 or later
December 22, 2022
My Cloud
5.25.132 or later
December 22, 2022
WD Cloud
5.25.132 or later
December 22, 2022
My Cloud Home
8.13.1-102
December 22, 2022
My Cloud Home Duo
8.13.1-102
December 22, 2022
SanDisk ibi
8.13.1-102
December 22, 2022

For more information on the latest security updates, see the following release notes:

My Cloud Devices
My Cloud Home/MyCloud Home Duo/SanDisk ibi

Advisory Summary

The impersonation attack issue has been resolved by making changes to the token authentication mechanism. Changes were made to ensure that the device no longer accepts a proxy connection without a proper device token.

CVE Number: CVE-2022-36331

Reported By: Claroty Research, Team82 – Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative

Compare