Support Product Security

My Cloud Firmware Version 5.10.122

WDC Tracking Number: WDC-21002
Published: February 22, 2021

Last Updated:  February 22, 2021

Description

My Cloud OS 5 was vulnerable to a local code execution and information disclosure vulnerability. The vulnerability allowed AFP and SMB shares to follow symbolic links. This could potentially allow an attacker to execute malicious code on the user’s device and thereby take over the system. It also allowed an attacker to read data and files on the system such as the /etc/shadow file. My Cloud Firmware 5.10.122 contains updates to help resolve this vulnerability and improve the security of your My Cloud devices.

Product Impact
Last Updated
My Cloud EX2 Ultra
February 22, 2021
My Cloud Mirror Gen 2
February 22, 2021
My Cloud EX4100
February 22, 2021
My Cloud PR2100
February 22, 2021
My Cloud PR4100
February 22, 2021
My Cloud DL2100
February 22, 2021
My Cloud DL4100
February 22, 2021
My Cloud EX2100
February 22, 2021
My Cloud (P/N: WDBCTLxxxxxx-10)
February 22, 2021

For more information on the latest security updates, see the release notes: https://os5releasenotes.mycloud.com/#/

Advisory Summary

The local code execution vulnerability was resolved by not allowing symbolic links to be followed on SMB and AFP shares. Permission changes were also made to the /etc/shadow file to prevent unprivileged users from accessing it.

CVE Number: CVE-2021-3310
Reported by: Chris Hernandez working with Trend Micro Zero Day Initiative

Masked the password of the remote backup process when viewing running processes with the admin user.