Support Product Security

My Cloud Firmware Version 5.26.202

WDC Tracking Number: WDC-23006
Product Line: My Cloud
Published: May 15, 2023

Last Updated: June 29, 2023

Description

My Cloud OS 5 Firmware 5.26.202 includes updates to help improve the security of your My Cloud OS 5 devices.

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

Product Impact
Minimum Fix Version
Last Updated
My Cloud PR2100
5.26.202
May 15, 2023
My Cloud PR4100
5.26.202
May 15, 2023
My Cloud EX4100
5.26.202
May 15, 2023
My Cloud EX2 Ultra
5.26.202
May 15, 2023
My Cloud Mirror G2
5.26.202
May 15, 2023
My Cloud DL2100
5.26.202
May 15, 2023
My Cloud DL4100
5.26.202
May 15, 2023
My Cloud EX2100
5.26.202
May 15, 2023
My Cloud
5.26.202
May 15, 2023
WD Cloud
5.26.202
May 15, 2023

For more information on the latest security updates, see the release notes.

Advisory Summary

Addressed an uncontrolled resource consumption issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted.

CVE Number: CVE-2022-36326

Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative

Addressed a path traversal vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution.

CVE Number:  CVE-2022-36327

Reported By: Claroty Research, Team82 - Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative

Addressed a path traversal vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations.

CVE Number:CVE-2022-36328

Reported By: Claroty Research, Team82 - Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative

Addressed a server-side request forgery vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback adapter. This could allow the URL to exploit other vulnerabilities on the local server.

CVE Number:CVE-2022-29840

Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative

Addressed a vulnerability in the token-based authentication mechanism that could allow an attacker to carry out an impersonation attack.

CVE Number:CVE-2023-22814