Western Digital is warning owners of My Cloud series devices that can no longer connect to cloud services starting on June 15, 2023, if the devices are not upgraded to the latest firmware, version 5.26.202.
The storage manufacturer decided to take this drastic measure to protect its users from cyberattacks, as the latest firmware addresses a remotely exploitable vulnerability that can be leveraged to perform unauthenticated code execution.
“Devices on firmware below 5.26.202 will not be able to connect to Western Digital cloud services starting June 15, 2023, and users will not be able to access data on their device through mycloud.com and the My Cloud OS 5 mobile app until they update the device to the latest firmware,” explains a Western Digital support bulletin.
“Users can continue to access their data via Local Access.”
My Cloud is a service that connects Network Attached Storage (NAS) devices to Western Digital’s cloud service, allowing users to store, access, backup, and share media from the web.
That said, unauthorized access to the devices or the users’ media repositories could result in severe data and privacy breaches.
Also, arbitrary code execution may even lead to ransomware being deployed on the devices, which we have seen impacting NAS devices multiple times in the recent past.
Western Digital alerted owners that the following devices need to upgrade their firmware to the designated versions, or they can no longer access My Cloud:
- My Cloud PR2100 – 5.26.202 or later
- My Cloud PR4100 – 5.26.202 or later
- My Cloud EX4100 – 5.26.202 or later
- My Cloud EX2 Ultra – 5.26.202 or later
- My Cloud Mirror G2 – 5.26.202 or later
- My Cloud DL2100 – 5.26.202 or later
- My Cloud DL4100 – 5.26.202 or later
- My Cloud EX2100 – 5.26.202 or later
- My Cloud – 5.26.202 or later
- WD Cloud – 5.26.202 or later
- My Cloud Home – 9.4.1-101 or later
- My Cloud Home Duo – 9.4.1-101 or later
- SanDisk ibi – 9.4.1-101 or later
The above firmware versions were released on May 15, 2023, fixing the following four vulnerabilities:
- CVE-2022-36327: Critical severity (CVSS v3.1: 9.8) path traversal flaw allowing an attacker to write files to arbitrary filesystem locations, leading to unauthenticated (authentication bypass) remote code execution on My Cloud devices.
- CVE-2022-36326: Uncontrolled resource consumption issue triggered by specially crafted requests sent to vulnerable devices, causing DoS. (medium severity)
- CVE-2022-36328: Path traversal flaw allowing an authenticated attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users, and device configurations. (medium severity)
- CVE-2022-29840: Server-Side Request Forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback. (medium severity)
To learn more about updating the firmware on your My Cloud device, check Western Digital’s instructions.