My Cloud Home 3.6.0 and ibi 3.6.0, Session Invalidation Vulnerability


WDC Tracking Number: WDC-19013
Product Line/Web:  My Cloud Home and ibi
Published: October 17, 2019

Last Updated: October 17, 2019

Description

Version 3.6.0 includes updates to improve the security of your My Cloud Home and ibi. The previous versions are potentially vulnerable to a session invalidation issues where they failed to terminate all open sessions on a password reset, change or deletion of user account. This vulnerability may lead to a compromise of data if a password reset, password change or account deletion activity does not require re-authentication. Version 3.6.0 addresses all these session invalidation issues.

My Cloud Home 3.6.0 and ibi 3.6.0 include updates to improve the security of your devices. The previous versions failed to terminate all open sessions on password reset, change or deletion of user account.

Product Impact
Last Updated
My Cloud Home
October 17, 2019
ibi
October 17, 2019

Advisory Summary

The lack of proper session termination may improve the likely success of certain attacks. For instance, a user might access a web site from a shared computer (such as at a library, Internet cafe, or open work environment). Failure to invalidate the session could allow an attacker to use the browser's back button to access web pages previously accessed by the victim. In the 3.6.0 release, this session invalidation issue has been addressed and all sessions now successfully terminate in case of a password change, reset or deletion of user account.

CVE Number: CVE-2020-8990

Reported by: Tayyab Sial