Last Updated: March 23, 2023

Description

Western Digital My Cloud, My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices were vulnerable to an impersonation attack that could allow an unauthenticated attacker to gain access to user data.

The updated firmware versions noted below include security updates to address these vulnerabilities. Starting March 23, 2023, devices with vulnerable firmware will not be able to connect to cloud services.

All My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices have been or will be automatically updated to the latest firmware version. Cloud access will not be available until your My Cloud Home/My Cloud Home Duo/SanDisk ibi device has been updated to firmware version 8.13.1-102 or above. Please refer to this KBA.

Users of other My Cloud devices should promptly update to the latest firmware by clicking the firmware update notification to receive the latest security fixes. Cloud access will not be available until your My Cloud device has been updated to firmware version 5.25.132 or above. Please refer to this KBA.

For more information on the latest security updates, see the following release notes:

My Cloud Devices
My Cloud Home/MyCloud Home Duo/SanDisk ibi

Advisory Summary

The impersonation attack issue has been resolved by making changes to the token authentication mechanism. Changes were made to ensure that the device no longer accepts a proxy connection without a proper device token.

CVE Number: CVE-2022-36331

Reported By: Claroty Research, Team82 – Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative