My Cloud Firmware Version 5.04.114


WDC Tracking Number: WDC-20007
Product Line/Web: My Cloud
Published: October 27, 2020

Last Updated: October 27, 2020

Description

My Cloud Firmware 5.04.114 is a major security release containing updates to help improve the security of your My Cloud devices. Numerous changes were made to the operating system in order to comprehensively improve its security and to upgrade the user experience to support our latest technologies. The major user-visible security highlights of this release are listed below.

The base operating system has been upgraded to align with security and stability updates from Debian 10 “Buster”:

  • Updated Samba to version 4.9.5+dfsg-5+deb10u1
  • Updated Apache to version 2.4.38-3+deb10u3
  • Updated PHP to version to 7.3.19-1~deb10u1
  • Updated OpenSSL to version 1.1.1d-0+deb10u3
  • Updated OpenSSH to version 7.9p1-10
  • Updated glibc to version 2.28-10
  • Updated MariaDB to version 10.3_10.3.22-0+deb10u1
  • Updated rsync to version 3.1.3-6
  • Updated various other open source packages to newer versions based on Debian 10 ("Buster")

Additionally, the Linux kernel has been updated to 4.14 LTS.

The security of the administrative features of the device has been improved and hardened. The admin user now requires a password, and the admin dashboard and apps have been restricted to admin access only through a new authentication frontend. Non-admin users are no longer allowed to access or communicate with privileged CGI processes or apps on the device, which reduces the attack surface of the operating system and prevents several classes of remote code execution vulnerabilities.

The admin dashboard now also supports HTTPS with automatic certificate generation through Let’s Encrypt. If the device has been able to obtain a valid certificate and the browser is able to resolve the device correctly, the browser will be automatically redirected to HTTPS when accessing the admin dashboard.

Product Impact
Last Updated
My Cloud Mirror Gen2
27 October, 2020
My Cloud EX2 Ultra
27 October, 2020
My Cloud EX4100
27 October, 2020
My Cloud PR2100
27 October, 2020
My Cloud PR4100
27 October, 2020

For more information on the latest security updates, see the release notes: https://os5releasenotes.mycloud.com/#/

Advisory Summary

Addressed multiple stack buffer overflow vulnerabilities that could allow an attacker to carry out escalation of privileges through unauthorized remote code execution.

CVE Number: CVE-2020-12830
Reported by: Jae Young Jeong

Resolved vulnerability in FTP configuration that allowed full access to FTP shares.

Reported by: Miguel Carnero Gregorio

Addressed multiple remote code execution vulnerabilities that allowed escalation of privileges.

CVE Number: CVE-2020-25765, CVE-2020-27158, CVE-2020-27159, CVE-2020-27160, CVE-2020-27744
Reported by: Abdulla Ismayilov of UnderDefense