Support Product Security

Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi Firmware Versions 8.12.0-178

WDC Tracking Number: WDC-22018
Product Line: WD My Cloud Home, WD My Cloud Home Duo and SanDisk ibi
Published: November 14, 2022

Last Updated: November 14, 2022

Description

Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi devices were vulnerable to a path traversal vulnerability which could allow an attacker to initiate installation of custom ZIP packages and overwrite system files. This could potentially lead to a code execution.

These devices were also vulnerable to multiple issues in the open-source curl package that could allow a remote attacker to obtain sensitive information, leak authentication or cookie header data or facilitate a denial-of-service attack.

My Cloud Home, My Cloud Home Duo and ibi firmware version 8.12.0-178 includes updates to address these vulnerabilities. Your devices will be automatically updated to reflect the latest firmware version.

Product Impact
Minimum Fix Version
Last Updated
My Cloud Home
8.12.0-178
November 14, 2022
My Cloud Home Duo
8.12.0-178
November 14, 2022
SanDisk ibi
8.12.0-178
November 14, 2022

For more information on the latest security updates, see the release notes.

Advisory Summary

The path traversal vulnerability was addressed by ensuring that when the final path is created, it is resolved under the target directory.

CVE Number: CVE-2022-29837

Addressed multiple curl vulnerabilities by updating the version to 7.64.0-4+deb10u3.

CVE Number: CVE-2021-22898, CVE-2021-22924, CVE-2021-22945, CVE-2021-22946, CVE-2021-22947, CVE-2022-22576, CVE-2022-27775, CVE-2022-27776, CVE-2022-27781, CVE-2022-27782, CVE-2022-32205, CVE-2022-32206, CVE-2022-32207, CVE-2022-32208