My Cloud OS 5 Firmware 5.06.115


WDC Tracking Number: WDC-20009
Published: November 23, 2020

Last Updated:  November 23, 2020

Description

My Cloud OS 5 was vulnerable to an authentication bypass vulnerability. My Cloud Firmware 5.06.115 contains updates to resolve this vulnerability and help improve the security of your My Cloud devices.

Product Impact
Last Updated
My Cloud PR2100
November 19, 2020
My Cloud PR4100
November 19, 2020
My Cloud EX2 Ultra
November 19, 2020
My Cloud EX4100
November 19, 2020
My Cloud Mirror Gen 2
November 19, 2020

For more information on the latest security updates, see the release notes: https://os5releasenotes.mycloud.com/#/

Advisory Summary

Addressed a NAS Admin authentication bypass vulnerability that could allow an unauthenticated user to execute privileged commands on the device. The vulnerability was addressed through enhanced validation of URI paths.

CVE Number: CVE-2020-28940, CVE-2020-28971
Reported by: Trapa Security working with Trend Micro’s Zero Day Initiative, & DEVCORE Security Team working with Trend Micro’s Zero Day Initiative

Hardened the operating system by removing an upload endpoint that could be used by an authenticated administrator to upload executable PHP scripts.

CVE Number: CVE-2020-28970
Reported by: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative