Multiple vulnerabilities have been detected in My Cloud OS 5, the operating system of network-attached storage (NAS) solutions developed by Western Digital. According to the report, the successful exploitation of these flaws would lead to the compromise of the affected systems.
Below are brief descriptions of the reported flaws, in addition to their identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).
CVE-2022-22993: Insufficient validation of user-provided inputs within the endpoint would allow cgi_api remote users to send specially crafted HTTP requests and trick the application into initiating requests to arbitrary systems.
The flaw received a CVSS score of 3.6/10.
CVE-2022-22994: The lack of proper authentication of data received over HTTP within the ConnectivityService would allow threat actors to pass specially crafted data to the application and execute arbitrary code on the affected system.
This is a flaw of medium severity and received a CVSS score of 7.7/10.
CVE-2022-22991: Incorrect input validation within the ConnectivityService service would allow remote hackers on the local network to pass specially crafted data to the application and execute arbitrary commands.
The flaw received a CVSS score of 7.7/10.
CVE-2022-22989: A limit error within the FTP service would allow threat actors on the local network to trigger a stack-based buffer overflow and execute arbitrary code on the affected system.
This is a medium severity vulnerability and received a CVSS score of 7.7/10.
CVE-2022-22992: Incorrect input validation would allow threat actors to pass specially crafted data to the application and execute arbitrary commands on the vulnerable system.
This is a high severity flaw and received a CVSS score of 8.5/10.
CVE-2022-22990: Incorrect string matching logic when accessing protected pages within the nasAdmin service would allow remote attackers on the local network to bypass the authentication process and gain unauthorized access to the vulnerable application.
The flaw received a CVSS score of 5.5/10.
According to the report, the flaw lies in the following implementations:
- My Cloud PR2100: All versions
- My Cloud PR4100: All versions
- My Cloud EX4100: All versions
- My Cloud EX2 Ultra: All versions
- My Cloud Mirror Gen 2: all versions
- My Cloud DL2100: all versions
- My Cloud DL4100: All versions
- My Cloud EX2100: All versions
- WD My Cloud: All versions
- My Cloud: All versions
- My Cloud OS 5: versions earlier than 5.19.117
While these flaws can be exploited by unauthenticated remote threat actors, no active exploitation attempts have been detected so far. Still, Western Digital recommends users of affected deployments upgrade as soon as possible.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.