My Cloud Firmware Version 2.31.193
WDC Tracking Number: WDC-19005
Published: August 6, 2019
Last Updated: August 6, 2019
Description
My Cloud Firmware 2.31.193 includes multiple updates to help improve the security of your My Cloud devices.
Advisory Summary
Addressed SACK Panic vulnerabilities in My Cloud devices that could cause denial of service attacks.
- CVE Number: CVE-2019-11477
- CVE Number: CVE-2019-11478
- CVE Number: CVE-2019-11479
Resolved a directory traversal vulnerability in Twonky Server 7.0.11 through 8.5 that could allow a remote attacker to share the contents of arbitrary directories.
- CVE Number: CVE-2018-7171
Resolved a directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 that could allow remote attackers to point to files outside the current working directory via a symlink.
- CVE Number: CVE-2011-5325
A vulnerability was resolved in the automount feature of the My Cloud OS that could allow access to the contents of encrypted disks without knowledge of the passphrase.
Improved SSH login configuration by disabling the “root” user.
Added TLS to firmware and app update checks and downloads. It was added to ensure that files could not be tampered with while in transit by verifying the signature of these downloads and updates.
Addressed a privilege escalation vulnerability in the REST API. This vulnerability allowed a user to escalate their own privileges and communicate with all end points of the API at an administrator level. An attacker could thereby potentially compromise all privilege levels.
- Reported by: Stu Vinton