A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP.
Weakness
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| My_cloud_os | Westerndigital | * | 5.19.117 (excluding) |
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/111.html
- https://cwe.mitre.org/data/definitions/141.html
- https://cwe.mitre.org/data/definitions/142.html
- https://cwe.mitre.org/data/definitions/148.html
- https://cwe.mitre.org/data/definitions/218.html
- https://cwe.mitre.org/data/definitions/384.html
- https://cwe.mitre.org/data/definitions/385.html
- https://cwe.mitre.org/data/definitions/386.html
- https://cwe.mitre.org/data/definitions/387.html
- https://cwe.mitre.org/data/definitions/388.html
- https://cwe.mitre.org/data/definitions/665.html
- https://cwe.mitre.org/data/definitions/701.html
References
- https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117
- https://www.zerodayinitiative.com/advisories/ZDI-22-349/
- https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117
- https://www.zerodayinitiative.com/advisories/ZDI-22-349/