Summary: Western Digital has issued a security advisory regarding a critical vulnerability (CVE-2024-22170) affecting various My Cloud devices, which could allow attackers to execute arbitrary code. This high-severity flaw, with a CVSS score of 9.2, can be exploited through a Man-in-the-Middle attack, posing significant risks to user data and device integrity.
Threat Actor: Unknown | unknown
Victim: Western Digital | Western Digital
Key Point :
- Vulnerability CVE-2024-22170 allows arbitrary code execution on affected My Cloud devices.
- The flaw is due to an unchecked buffer in the Dynamic DNS client, exploitable via Man-in-the-Middle attacks.
- Western Digital has released a firmware update (version 5.29.102) to mitigate the vulnerability.
- Affected devices include My Cloud EX2 Ultra, EX4100, PR2100, PR4100, and others.
- Users are urged to update their devices immediately to safeguard against potential exploitation.
Western Digital has released a security advisory addressing a high-severity vulnerability (CVE-2024-22170) impacting a range of My Cloud devices. The vulnerability, which carries a CVSS score of 9.2, could allow attackers to execute arbitrary code on affected devices, potentially leading to unauthorized access, data breaches, and other malicious activities.
The flaw resides in the Dynamic DNS client and stems from an unchecked buffer. This weakness can be exploited by attackers through a Man-in-the-Middle (MitM) attack, enabling them to inject malicious payloads into Dynamic DNS update requests, causing a buffer overflow. This, in turn, could lead to the execution of arbitrary code, granting attackers significant control over the compromised device.
Western Digital would like to thank Claroty Research – Team82 – Noam Moshe, working with Trend Micro Zero Day Initiative, for their responsible disclosure of this vulnerability.
The following My Cloud devices are vulnerable to the CVE-2024-22170 flaw:
- My Cloud EX2 Ultra
- My Cloud EX4100
- My Cloud PR2100
- My Cloud PR4100
- My Cloud
- My Cloud Mirror G2
- My Cloud EX2100
- My Cloud DL2100
- My Cloud DL4100
- WD Cloud
Western Digital has addressed the vulnerability in My Cloud OS 5 Firmware version 5.29.102. Users are strongly urged to update their devices to this version immediately to protect their data and systems from potential exploitation.