Support Product Security

My Cloud Firmware Version 5.26.119

WDC Tracking Number: WDC-23002
Product Line: My Cloud
Published: January 10, 2023

Last Updated: March 29, 2023

Description

My Cloud OS 5 Firmware 5.26.119 includes updates to help improve the security of your My Cloud OS 5 devices.

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

Product Impact
Minimum Fix Version
Last Updated
My Cloud PR2100
5.26.119
January 10, 2023
My Cloud PR4100
5.26.119
January 10, 2023
My Cloud EX4100
5.26.119
January 10, 2023
My Cloud EX2 Ultra
5.26.119
January 10, 2023
My Cloud Mirror G2
5.26.119
January 10, 2023
My Cloud DL2100
5.26.119
January 10, 2023
My Cloud DL4100
5.26.119
January 10, 2023
My Cloud EX2100
5.26.119
January 10, 2023
My Cloud
5.26.119
January 10, 2023
WD Cloud
5.26.119
January 10, 2023

For more information on the latest security updates, see the release notes.

Advisory Summary

Addressed a remote code execution vulnerability that was caused by a command that read files from a privileged location and created a system command without sanitizing the read data. This command could be triggered by an attacker remotely to cause code execution and gain a reverse shell.

CVE Number: CVE-2022-29841

Reported By: Claroty Research, Team82 - Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative

Addressed a command injection vulnerability that could allow an attacker to execute code in the context of the root user on a vulnerable CGI file.

CVE Number:  CVE-2022-29842

Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative

Addressed a vulnerability in the DDNS service configuration that could allow an attacker to execute code in the context of the root user.

CVE Number:CVE-2022-29843

Reported by: rskvp93 and biennd4 (from VcsLab of Viettel Cyber Security) working with Trend Micro Zero Day Initiative.

Addressed a memory corruption vulnerability in the FTP service that could allow an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker.

CVE Number:CVE-2022-29844

Reported by: Luca MORO (@johncool__) - moro.luca@gmail.com working with Trend Micro Zero Day Initiative.