WARNING: CRITICAL WESTERN DIGITAL MY CLOUD VULNERABILITY, PATCH IMMEDIATELY!
Reference:
Advisory #2024-233
Version:
1.0
Affected software:
Western Digital My Cloud (version: 5.29.102 and earlier)
Type:
Buffer Overflow, Remote Code Execution (RCE)
CVE/CVSS:
CVE-2024-22170: CVSS 9.2 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:N/C:N/I:N/A:N)
Date:
02/10/2024
Sources
https://www.westerndigital.com/support/product-security/wdc-24005-wester...
Risks
A vulnerability on the Linux version of Western Digital My Cloud has been discovered. It appears to stem from an improper restriction of operations inside a memory buffer vulnerability that causes the buffer to overflow.
It is unknown whether this vulnerability has been exploited.
Description
Since there is an unchecked buffer in the Dynamic DNS client of Western Digital My Cloud, that can allow an attacker to execute arbitrary code. The attacker can intercept a Dynamic DNS update request with a Man-in-the-Middle attack. That will cause a response containing a payload which causes a buffer overflow.
The attack vector of the vulnerability is network, and it does not require any user interaction nor elevated privileges, making it a critical vulnerability.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Please make sure to update NNM to version 5.29.102 or higher.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.