Support Product Security

My Cloud OS 5 Firmware 5.21.104

WDC Tracking Number: WDC-22006
Published: March 24, 2022

Last Updated: March 24, 2022

Description

My Cloud OS 5 devices were vulnerable to a heap out-of-bounds read/write vulnerability in Samba versions prior to 4.13.17 that use the VFS module vfs_fruit. This could allow a remote attacker to execute arbitrary code as root on the devices. My Cloud OS 5 Firmware 5.21.104 released on March 23, 2022 includes updates to Samba to address this vulnerability.

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

Product Impact
Minimum Fix Version
Last Updated
My Cloud PR2100
5.21.104
March 22, 2022
My Cloud PR4100
5.21.104
March 22, 2022
My Cloud EX4100
5.21.104
March 22, 2022
My Cloud EX2 Ultra
5.21.104
March 22, 2022
My Cloud Mirror Gen 2
5.21.104
March 22, 2022
My Cloud DL2100
5.21.104
March 22, 2022
My Cloud DL4100
5.21.104
March 22, 2022
My Cloud EX2100
5.21.104
March 22, 2022
My Cloud
5.21.104
March 22, 2022
WD Cloud
5.21.104
March 22, 2022

For more information on the latest security updates, see the release notes: https://os5releasenotes.mycloud.com/#/

Advisory Summary

This specific flaw exists within the parsing of extended attributes (EA) metadata when opening a file in smbd. This vulnerability can be exploited by unauthenticated users if they are allowed write access to file extended attributes. This vulnerability was addressed by removing the "fruit" VFS module from the list of configured VFS objects and by changing EA support configurations.

CVE Number: CVE-2021-44142

Reported By: Nguyen Hoang Thach (@hi_im_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) working with Trend Micro’s Zero Day Initiative