| Description: | Summary:
Multiple Western Digital My Cloud products are prone to multiple
vulnerabilities.
Vulnerability Insight:
The following issues have been addressed:
- Resolved multiple command injection vulnerabilities including CVE-2016-10108 and CVE-2016-10107
- Resolved multiple cross site request forgery (CSRF) vulnerabilities
- Resolved a Linux kernel Dirty Cow vulnerability (CVE-2016-5195)
- Resolved multiple denial-of-service vulnerabilities
- Improved security by disabling SSH shadow information
- Resolved a buffer overflow issue that could lead to unauthenticated access
- Resolved a click-jacking vulnerability in the webinterface
- Resolved multiple security issues in the Webfile viewer on-devic eapp
- Improved the security of volume mount options
- Resolved multiple security issues in the EULA onboarding flow
- Resolved leakage of debug messages in the webinterface
- Improved credential handling for the remote MyCloud-to-MyCloud backup feature
- Improved credential handling for upload-logs-to-support option
Additionally the following components received an update containing security fixes:
- Apache v2.4.34 (CVE-2018-1301, CVE-2018-1302, CVE-2018-1303, CVE-2018-1312, CVE-2017-15715)
- PHP v5.4.45 (CVE-2015-6834, CVE-2015-6835, CVE-2015-6836, CVE-2015-6837, CVE-2015-6838,
CVE-2014-9767)
- OpenSSH v7.5p1
- OpenSSL v1.0.1u
- libupnp v1.6.25 (CVE-2012-5958)
- jQuery v3.3.1 (CVE-2010-5312)
- Rsync v3.1.3 (CVE-2018-5764)
Affected Software/OS:
Western Digital My Cloud with firmware versions prior to
2.12.127 and 2.2 - 2.3 versions prior to 2.31.149.
Solution:
Update to firmware version 2.12.127, 2.31.149 or later.
Note: Some My Cloud products are already end-of-life and doesn't receive any updates anymore.
CVSS Score:
10.0
CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C
|
