First published: Thu Jan 13 2022(Updated: )
A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP.
Credit: psirt@wdc.com
Affected Software | Affected Version | How to fix |
---|---|---|
Western Digital MyCloud PR4100 | ||
Westerndigital My Cloud Os | <5.19.117 | |
Westerndigital My Cloud | ||
Westerndigital My Cloud Dl2100 | ||
Westerndigital My Cloud Dl4100 | ||
Westerndigital My Cloud Ex2 Ultra | ||
Westerndigital My Cloud Ex2100 | ||
Westerndigital My Cloud Ex4100 | ||
Westerndigital My Cloud Mirror Gen 2 | ||
Westerndigital My Cloud Pr2100 | ||
Westerndigital My Cloud Pr4100 | ||
Westerndigital Wd Cloud |
Update your My Cloud device to firmware version 5.19.117.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2022-22991 is a vulnerability that allows network-adjacent attackers to execute arbitrary code on affected installations of Western Digital MyCloud PR4100.
No, authentication is not required to exploit this vulnerability.
The severity of CVE-2022-22991 is high with a CVSS score of 8.8.
Western Digital MyCloud PR4100 with My Cloud OS version up to exclusive 5.19.117 is affected by this vulnerability.
To fix CVE-2022-22991, update your Western Digital MyCloud PR4100 to the latest firmware version.