My Cloud Home Firmware Version 8.7.0-107
WDC Tracking Number: WDC-22009
Published: July 11, 2022
Last Updated: July 11, 2022
Description
My Cloud Home Firmware 8.7.0-107 is a major release containing updates to help improve the security of your My Cloud Home devices. Numerous changes were made to the operating system to comprehensively improve its security and to upgrade the user experience to support our latest technologies.
The base operating system has been upgraded from an Android based operating system to the Linux operating system to align with security and stability updates from Debian 10 “Buster”.
Additionally, the Linux kernel has been updated to 4.9.266.
Your My Cloud Home device will be automatically updated to reflect the latest firmware version.
For more information on the latest security updates, see the release notes.
Advisory Summary
A vulnerability in the Linux kernel’s cgroup_release_agent_write was addressed that could lead to escalation of privileges and bypass namespace isolation unexpectedly.
CVE Number: CVE-2022-0492
Addressed an issue in OpenSSL that would make it possible to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Since certificate parsing takes place before the certificate signature verification process, this could lead to a denial-of-service attack.
CVE Number: CVE-2022-0778
Addressed a memory copy vulnerability in the Linux Wi-Fi driver.
Addressed a command injection attack that could allow a malicious attacker on the same LAN to carry out a DNS spoofing attack via an unsecured HTTP call. This was done by removing the affected code from the product.
CVE Number: CVE-2022-22991, CVE-2022-22994
Reported By: Martin Rakhmanov (@mrakhmanov) working with Trend Micro’s Zero Day Initiative
A vulnerability was discovered within the parsing of extended attributes (EA) metadata when opening a file in smbd. This vulnerability can be exploited by unauthenticated users if they are allowed write access to file extended attributes. This vulnerability was addressed by removing the "fruit" VFS module from the list of configured VFS objects and by changing EA support configurations.
CVE Number: CVE-2021-44142
Reported By: Nguyen Hoang Thach (@hi_im_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) working with Trend Micro’s Zero Day Initiative
Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.8-0+deb10u1.
CVE Number: CVE-2020-20445, CVE-2020-20446, CVE-2020-20453, CVE-2020-21041, CVE-2020-22015, CVE-2020-22016, CVE-2020-22017, CVE-2020-22019, CVE-2020-22020, CVE-2020-22021, CVE-2020-22022, CVE-2020-22023, CVE-2020-22025, CVE-2020-22026, CVE-2020-22027, CVE-2020-22028, CVE-2020-22029, CVE-2020-22030, CVE-2020-22031, CVE-2020-22032, CVE-2020-22033, CVE-2020-22034, CVE-2020-22035, CVE-2020-22036, CVE-2020-22037, CVE-2020-22049, CVE-2020-22054, CVE-2020-35965, CVE-2021-38114, CVE-2021-38171, CVE-2021-38291
Addressed multiple FFmpeg vulnerabilities by updating the version to 7:4.1.9-0+deb10u1.
Implemented firmware signing to prevent malicious modifications to the firmware and verify the firmware’s authenticity and integrity.
Transitioned to Go’s crypto/tls library for secure communications.
Enabled several kernel hardening options to make exploits of kernel and userland security bugs more difficult to develop.
Addressed a remote code execution vulnerability by resolving a command injection vulnerability and closing an AWS S3 bucket that potentially allowed an attacker to execute unsigned code on My Cloud Home devices. Implemented protections on AWS credentials that were not properly protected..
CVE Number: CVE-2022-22997, CVE-2022-22998
Western Digital would like to thank Viettel Cyber Security for reporting this issue.
Addressed multiple libtiff null pointer dereference vulnerabilities by updating the version to 4.4.0.
CVE Number: CVE-2022-0562, CVE-2022-0561, CVE-2022-0865
Addressed an improper input validation and out-of-bounds write vulnerability in TensorFlow which is an open-source platform for machine learning. An attacker could pass negative values to cause a segmentation fault-based denial-of-service attack. Certain components also did not validate input arguments which could also trigger a denial-of-service attack.
CVE Number: CVE-2022-29191, CVE-2022-29213, CVE-2022-29208