7.8
CWE
757
Advisory Published
Updated

CVE-2022-23000: Weak Default SSL use in Port Forwarding Service

First published: Mon Jul 25 2022(Updated: )

The Western Digital My Cloud Web App [https://os5.mycloud.com/] uses a weak SSLContext when attempting to configure port forwarding rules. This was enabled to maintain compatibility with old or outdated home routers. By using an "SSL" context instead of "TLS" or specifying stronger validation, deprecated or insecure protocols are permitted. As a result, a local user with no privileges can exploit this vulnerability and jeopardize the integrity, confidentiality and authenticity of information transmitted. The scope of impact cannot extend to other components and no user input is required to exploit this vulnerability.

Credit: psirt@wdc.com

Affected SoftwareAffected VersionHow to fix
Westerndigital My Cloud Pr2100 Firmware<5.23.114
Westerndigital My Cloud Pr2100
Westerndigital My Cloud Pr4100 Firmware<5.23.114
Westerndigital My Cloud Pr4100
Westerndigital My Cloud Ex4100 Firmware<5.23.114
Westerndigital My Cloud Ex4100
Westerndigital My Cloud Ex2 Ultra Firmware<5.23.114
Westerndigital My Cloud Ex2 Ultra
Westerndigital My Cloud Mirror G2 Firmware<5.23.114
Westerndigital My Cloud Mirror G2
Westerndigital My Cloud Dl2100 Firmware<5.23.114
Westerndigital My Cloud Dl2100
Westerndigital My Cloud Dl4100 Firmware<5.23.114
Westerndigital My Cloud Dl4100
Westerndigital My Cloud Ex2100 Firmware<5.23.114
Westerndigital My Cloud Ex2100
Westerndigital My Cloud Firmware<5.23.114
Westerndigital My Cloud

Remedy

To take advantage of the latest security fixes, Western Digital recommends that users promptly update their devices to the latest firmware by clicking on the firmware update notification.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Frequently Asked Questions

  • What is the severity of CVE-2022-23000?

    The severity of CVE-2022-23000 is high.

  • What is the affected software for CVE-2022-23000?

    The affected software for CVE-2022-23000 is Western Digital My Cloud Pr2100 Firmware, Western Digital My Cloud Pr4100 Firmware, Western Digital My Cloud Ex4100 Firmware, Western Digital My Cloud Ex2 Ultra Firmware, Western Digital My Cloud Mirror G2 Firmware, Western Digital My Cloud Dl2100 Firmware, Western Digital My Cloud Dl4100 Firmware, Western Digital My Cloud Ex2100 Firmware, and Western Digital My Cloud Firmware.

  • How does CVE-2022-23000 impact the Western Digital My Cloud Web App?

    CVE-2022-23000 impacts the Western Digital My Cloud Web App by using a weak SSLContext when attempting to configure port forwarding rules.

  • Why does the Western Digital My Cloud Web App use a weak SSLContext?

    The Western Digital My Cloud Web App uses a weak SSLContext to maintain compatibility with old or outdated home routers.

  • How can I fix CVE-2022-23000?

    To fix CVE-2022-23000, it is recommended to update to a version higher than 5.23.114 of the Western Digital My Cloud firmware.

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203