CVE-2022-22994

Insufficient Verification of Data Authenticity Remote Code Execution Vulnerability on Western Digital My Cloud devices.

CVSS 8.8 HIGHEPSS 1.9%CWE-345

In short

Western Digital My Cloud devices can be tricked into executing malicious code remotely because they don't properly verify where commands are coming from. An attacker can send fake commands over the internet to take control of the device.

Technical detail

The vulnerability involves insufficient verification of data authenticity in update or communication mechanisms on My Cloud devices, allowing an attacker to inject malicious code through unsecured HTTP calls. Pre-condition: device must be accessible over the network or internet. Remediation involved disabling unverified HTTP connectivity checks to enforce proper authentication.

Summary generated and translated by AI from the official description.

A remote code execution vulnerability was discovered on Western Digital My Cloud devices where an attacker could trick a NAS device into loading through an unsecured HTTP call. This was a result insufficient verification of calls to the device. The vulnerability was addressed by disabling checks for internet connectivity using HTTP.

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Western Digital · My Cloud

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.westerndigital.com/support/product-security/wdc-22002-my-cloud-os5-firmware-5-19-117 https://www.zerodayinitiative.com/advisories/ZDI-22-349/