Western Digital My Cloud OS 5, My Cloud Home & Duo and SanDisk ibi Firmware Update


WDC Tracking Number: WDC-24001
Product Line: My Cloud OS 5, My Cloud Home, My Cloud Home Duo, and SanDisk ibi
Published: February 5, 2024

Last Updated: February 5, 2024

Description

Western Digital My Cloud OS 5, My Cloud Home and SanDisk ibi device firmware versions were updated to improve the security of your devices.

Product Impact
Minimum Fix Version
Last Updated
My Cloud PR2100
5.27.161
January 24, 2024
My Cloud PR4100
5.27.161
January 24, 2024
My Cloud EX4100
5.27.161
January 24, 2024
My Cloud EX2 Ultra
5.27.161
January 24, 2024
My Cloud Mirror G2
5.27.161
January 24, 2024
My Cloud DL2100
5.27.161
January 24, 2024
My Cloud DL4100
5.27.161
January 24, 2024
My Cloud EX2100
5.27.161
January 24, 2024
My Cloud (Glacier)
5.27.161
January 24, 2024
WD Cloud
5.27.161
January 24, 2024
My Cloud Home
9.5.1-104
February 5, 2024
My Cloud Home Duo
9.5.1-104
February 5, 2024
SanDisk ibi
9.5.1-104
February 5, 2024

For My Cloud Devices:

For more information on the latest security updates, see the release notes. For My Cloud OS 5 devices, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

 

For My Cloud Home and SanDisk ibi Devices:

For more information on the latest security updates, see the release notes. My Cloud Home, My Cloud Home Duo and SanDisk ibi devices will be automatically updated to reflect the latest firmware version

 

Advisory Summary

Addressed a server-side request forgery vulnerability by fixing DNS addresses that refer to loopback. This could allow a rogue server on the local network to modify its URL using another DNS address to point back to the loopback adapter. This could then allow the URL to exploit other vulnerabilities on the local server.

CVE Number: CVE-2023-22817

Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative

Addressed an uncontrolled resource consumption issue on a particular endpoint that could arise by sending crafted requests to a service to consume a large amount of memory, eventually resulting in the service being stopped and restarted.

CVE Number: CVE-2023-22819

Reported By: Sam Thomas (@_s_n_t) of Pentest Ltd (@pentestltd) working with Trend Micro’s Zero Day Initiative