Western Digital boots outdated NAS devices off of My Cloud

Western Digital

Western Digital is warning owners of My Cloud series devices that can no longer connect to cloud services starting on June 15, 2023, if the devices are not upgraded to the latest firmware, version 5.26.202.

The storage manufacturer decided to take this drastic measure to protect its users from cyberattacks, as the latest firmware addresses a remotely exploitable vulnerability that can be leveraged to perform unauthenticated code execution.

“Devices on firmware below 5.26.202 will not be able to connect to Western Digital cloud services starting June 15, 2023, and users will not be able to access data on their device through mycloud.com and the My Cloud OS 5 mobile app until they update the device to the latest firmware,” explains a Western Digital support bulletin.

“Users can continue to access their data via Local Access.”

My Cloud is a service that connects Network Attached Storage (NAS) devices to Western Digital’s cloud service, allowing users to store, access, backup, and share media from the web.

That said, unauthorized access to the devices or the users’ media repositories could result in severe data and privacy breaches.

Also, arbitrary code execution may even lead to ransomware being deployed on the devices, which we have seen impacting NAS devices multiple times in the recent past.

Western Digital alerted owners that the following devices need to upgrade their firmware to the designated versions, or they can no longer access My Cloud:

  • My Cloud PR2100 – 5.26.202 or later
  • My Cloud PR4100 – 5.26.202 or later
  • My Cloud EX4100 – 5.26.202 or later
  • My Cloud EX2 Ultra – 5.26.202 or later
  • My Cloud Mirror G2 – 5.26.202 or later
  • My Cloud DL2100 – 5.26.202 or later
  • My Cloud DL4100 – 5.26.202 or later
  • My Cloud EX2100 – 5.26.202 or later
  • My Cloud – 5.26.202 or later
  • WD Cloud – 5.26.202 or later
  • My Cloud Home – 9.4.1-101 or later
  • My Cloud Home Duo – 9.4.1-101 or later
  • SanDisk ibi – 9.4.1-101 or later

The above firmware versions were released on May 15, 2023, fixing the following four vulnerabilities:

  • CVE-2022-36327: Critical severity (CVSS v3.1: 9.8) path traversal flaw allowing an attacker to write files to arbitrary filesystem locations, leading to unauthenticated (authentication bypass) remote code execution on My Cloud devices.
  • CVE-2022-36326: Uncontrolled resource consumption issue triggered by specially crafted requests sent to vulnerable devices, causing DoS. (medium severity)
  • CVE-2022-36328: Path traversal flaw allowing an authenticated attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users, and device configurations. (medium severity)
  • CVE-2022-29840: Server-Side Request Forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback. (medium severity)

To learn more about updating the firmware on your My Cloud device, check Western Digital’s instructions.


Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee
Patreon

 To keep up to date follow us on the below channels.

join
Telegram
discord
Discord
reddit
Reddit
linkedin
LinkedIn