WDC Tracking Number: WDC-23006
Product Line: My Cloud
Published: May 15, 2023
Last Updated: June 29, 2023
My Cloud OS 5 Firmware 5.26.202 includes updates to help improve the security of your My Cloud OS 5 devices.
To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.
For more information on the latest security updates, see the release notes.
Addressed an uncontrolled resource consumption issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted.
CVE Number: CVE-2022-36326
Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative
Addressed a path traversal vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution.
CVE Number: CVE-2022-36327
Reported By: Claroty Research, Team82 - Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative
Addressed a path traversal vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations.
CVE Number: CVE-2022-36328
Reported By: Claroty Research, Team82 - Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative
Addressed a server-side request forgery vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback adapter. This could allow the URL to exploit other vulnerabilities on the local server.
CVE Number: CVE-2022-29840
Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative
Addressed a vulnerability in the token-based authentication mechanism that could allow an attacker to carry out an impersonation attack.
CVE Number: CVE-2023-22814