Western Digital warns owners of older NAS My Cloud series devices that they cannot connect to cloud services after June 15, 2023 unless their device is updated to the latest firmware (5.26.202).Let me remind you that we also reported that Western Digital My Cloud OS Fixes Critical Vulnerability, and also that Western Digital Scared Users by Advising to Change the HDD after 3 Years of Operation.
And the media recently reported that Western Digital Admits that Users’ Personal Data Was Compromised in the Company’s Hack.
The manufacturer says this decision was made to protect users from cyberattacks, as the latest NAS firmware patches a remote exploitable vulnerability that can be used to execute arbitrary code.
Western Digital has warned NAS owners that the following devices must be upgraded to the specified versions or they will no longer be able to access My Cloud:
- My Cloud PR2100 – 5.26.202 or newer;
- My Cloud PR4100 – 5.26.202 or newer;
- My Cloud EX4100 – 5.26.202 or newer;
- My Cloud EX2 Ultra – 5.26.202 or newer;
- My Cloud Mirror G2 – 5.26.202 or newer;
- My Cloud DL2100 – 5.26.202 or newer;
- My Cloud DL4100 – 5.26.202 or newer;
- My Cloud EX2100 – 5.26.202 or newer;
- My Cloud – 5.26.202 or newer;
- WD Cloud – 5.26.202 or newer;
- My Cloud Home – 9.4.1-101 or newer;
- My Cloud Home Duo – 9.4.1-101 or newer;
- SanDisk ibi – 9.4.1-101 or newer.
The listed firmware versions were released on May 15, 2023 and fix the following vulnerabilities:
- CVE-2022-36327 – A critical path traversal vulnerability (9.8 on the CVSS scale) that allows an attacker to write files to arbitrary locations in the file system, which leads to remote code execution without authentication on My Cloud devices;
- CVE-2022-36326 – An uncontrolled resource consumption vulnerability that can be triggered by specially crafted requests sent to vulnerable devices, resulting in a denial of service;
- CVE-2022-36328 is another path traversal bug that allows an authenticated attacker to create arbitrary shares in arbitrary directories and steal sensitive files, passwords, users, and device configurations;
- CVE-2022-29840 is an SSRF (Server-Side Request Forgery) vulnerability that allows a malicious server on a local network to change its URL in such a way as to create a loop.
User Review( votes)