Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi Firmware Version 9.4.0-191


WDC Tracking Number: WDC-23003
Product Line: My Cloud Home, My Cloud Home Duo, and SanDisk ibi
Published: February 13, 2023

Last Updated: March 23, 2023

Description

Western Digital My Cloud Home, My Cloud Home Duo and SanDisk ibi firmware versions 9.4.0-191 and higher include updates to help improve the security of your devices.

Your devices will be automatically updated to reflect the latest firmware version.

Product Impact
Minimum Fix Version
Last Updated
My Cloud Home
9.4.0-191
February 8, 2023
My Cloud Home Duo
9.4.0-191
February 8, 2023
SanDisk ibi
9.4.0-191
February 8, 2023

For more information on the latest security updates, see the release notes.

Advisory Summary

Addressed an uncontrolled resource consumption issue that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted.

CVE Number: CVE-2022-36326

Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative

Addressed a path traversal vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution.

CVE Number: CVE-2022-36327

Reported By: Claroty Research, Team82 - Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative

Addressed a path traversal vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations.

CVE Number: CVE-2022-36328

Reported By: Claroty Research, Team82 - Vera Mens, Noam Moshe, Uri Katz and Sharon Brizinov working with Trend Micro’s Zero Day Initiative

Addressed an improper privilege management issue that could allow an attacker to cause a denial of service over the OTA mechanism.

CVE Number: CVE-2022-36329

Addressed a buffer overflow vulnerability on firmware version validation that could lead to an unauthenticated remote code execution.

CVE Number: CVE-2022-36330