My Cloud Firmware Version 2.31.193


WDC Tracking Number: WDC-19005
Published: August 6, 2019

Last Updated: August 6, 2019

Description

My Cloud Firmware 2.31.193 includes multiple updates to help improve the security of your My Cloud devices.

Product Impact
Last Updated
My Cloud
August 6, 2019
My Cloud Mirror Gen
August 6, 2019
My Cloud EX2 Ultra
August 6, 2019
My Cloud EX2100
August 6, 2019
My Cloud EX4100
August 6, 2019
My Cloud DL2100
August 6, 2019
My Cloud DL4100
August 6, 2019
My Cloud PR2100
August 6, 2019
My Cloud PR4100
August 6, 2019

Advisory Summary

Addressed SACK Panic vulnerabilities in My Cloud devices that could cause denial of service attacks.

Resolved a directory traversal vulnerability in Twonky Server 7.0.11 through 8.5 that could allow a remote attacker to share the contents of arbitrary directories.

Resolved a directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 that could allow remote attackers to point to files outside the current working directory via a symlink.

A vulnerability was resolved in the automount feature of the My Cloud OS that could allow access to the contents of encrypted disks without knowledge of the passphrase.

Improved SSH login configuration by disabling the “root” user. 

Added TLS to firmware and app update checks and downloads. It was added to ensure that files could not be tampered with while in transit by verifying the signature of these downloads and updates. 

Addressed a privilege escalation vulnerability in the REST API. This vulnerability allowed a user to escalate their own privileges and communicate with all end points of the API at an administrator level. An attacker could thereby potentially compromise all privilege levels.

  • Reported by: Stu Vinton