Cybersecurity specialists report the detection of two critical vulnerabilities in Western Digital My Cloud OS 5, a solution for creating backups and managing large volumes of content from multiple computers on a particular private network. According to the report, the successful exploitation of these flaws would put the affected systems at risk.
Below are brief descriptions of the reported flaw, in addition to their respective tracking keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2022-0194: A limit error within the ad_addcomment function would allow unauthenticated remote threat actors to trigger a stack-based buffer overflow and execute arbitrary code on the vulnerable system.
This is considered a high severity flaw and received a CVSS score of 8.5/10 and resides on the following versions of My Cloud OS:
- My Cloud PR2100: All versions
- My Cloud PR4100: All versions
- My Cloud EX4100: All versions
- My Cloud EX2 Ultra: All versions
- My Cloud Mirror Gen 2: All versions
- My Cloud DL2100: All versions
- My Cloud DL4100: All versions
- My Cloud EX2100: All versions
- My Cloud: All versions
- WD Cloud: All versions
- My Cloud Home: All versions
- My Cloud OS 5: Versions earlier than 5.19.117, 7.16-220
CVE-2021-44142: On the other hand, a limit error when processing EA metadata when opening files in smbd within the VFS Samba module would allow remote threat actors capable of writing to the extended attributes of the file triggering an off-limits write and execute arbitrary code with root user privileges.
This is a highly severe vulnerability and received a CVSS score of 8.6/10. According to the report, the flaw lies in the following products and versions:
- WD Cloud: All versions
- My Cloud: All versions
- My Cloud EX2100: All versions
- My Cloud DL4100: All versions
- My Cloud DL2100: All versions
- My Cloud Mirror Gen 2: All versions
- My Cloud EX4100: All versions
- My Cloud EX2 Ultra: All versions
- My Cloud PR4100: All versions
- My Cloud PR2100: All versions
- My Cloud OS 5: Versions earlier than v5.21.104
While these flaws can be exploited by unauthenticated threat actors over the Internet, so far no active exploitation attempts related to these reports have been detected. Still, Western Digital recommends users of affected deployments fix the flaws as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.