Multiple vulnerabilities have been detected in My Cloud OS 5, the operating system of network-attached storage (NAS) solutions developed by Western Digital. According to the report, the successful exploitation of these flaws would lead to the compromise of the affected systems.

Below are brief descriptions of the reported flaws, in addition to their identification keys and scores assigned according to the Common Vulnerability Scoring System (CVSS).

CVE-2022-22993: Insufficient validation of user-provided inputs within the endpoint would allow cgi_api remote users to send specially crafted HTTP requests and trick the application into initiating requests to arbitrary systems.

The flaw received a CVSS score of 3.6/10.

CVE-2022-22994: The lack of proper authentication of data received over HTTP within the ConnectivityService would allow threat actors to pass specially crafted data to the application and execute arbitrary code on the affected system.

This is a flaw of medium severity and received a CVSS score of 7.7/10.

CVE-2022-22991: Incorrect input validation within the ConnectivityService service would allow remote hackers on the local network to pass specially crafted data to the application and execute arbitrary commands.

The flaw received a CVSS score of 7.7/10.

CVE-2022-22989: A limit error within the FTP service would allow threat actors on the local network to trigger a stack-based buffer overflow and execute arbitrary code on the affected system.

This is a medium severity vulnerability and received a CVSS score of 7.7/10.

CVE-2022-22992: Incorrect input validation would allow threat actors to pass specially crafted data to the application and execute arbitrary commands on the vulnerable system.

This is a high severity flaw and received a CVSS score of 8.5/10.

CVE-2022-22990: Incorrect string matching logic when accessing protected pages within the nasAdmin service would allow remote attackers on the local network to bypass the authentication process and gain unauthorized access to the vulnerable application.

The flaw received a CVSS score of 5.5/10.

According to the report, the flaw lies in the following implementations:

  • My Cloud PR2100: All versions
  • My Cloud PR4100: All versions
  • My Cloud EX4100: All versions
  • My Cloud EX2 Ultra: All versions
  • My Cloud Mirror Gen 2: all versions
  • My Cloud DL2100: all versions
  • My Cloud DL4100: All versions
  • My Cloud EX2100: All versions
  • WD My Cloud: All versions
  • My Cloud: All versions
  • My Cloud OS 5: versions earlier than 5.19.117

While these flaws can be exploited by unauthenticated remote threat actors, no active exploitation attempts have been detected so far. Still, Western Digital recommends users of affected deployments upgrade as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post 6 critical vulnerabilities in Western Digital My Cloud OS 5 appeared first on Information Security Newspaper | Hacking News.

source

You May Also Like

2 vulnerabilities in Zyxel Armor home routers: Patch immediately

Cybersecurity specialists report the detection of some severe vulnerabilities in Zyxel Armor…

Critical Remote code execution vulnerability in Palo Alto Networks Cortex XSOAR

Cybersecurity specialists report the detection of a critical vulnerability in Cortex XSOAR,…

Windows Zero-Day accidentally disclosed by Chinese Researchers

Security researchers in China have accidentally disclosed a critical Windows zero-day bug…

31 critical vulnerabilities in Vim: Update immediately

Cybersecurity specialists report the detection of multiple vulnerabilities in the popular Vim…