Western Digital Implements New Security Measures for My Cloud Products: Firmware Update Required

Published by

teaser

Western Digital recently introduced new security protocols, leading to an unexpected disruption for users of their My Cloud products. These individuals found their cloud services access was obstructed due to these measures, specifically affecting devices without the most recent firmware updates: 5.26.202 for My Cloud and 9.4.1-101 for My Cloud Home and SanDisk ibi. 



These measures have been put in place to mitigate the risk of potential vulnerabilities. 

This initiative follows a significant cyber attack on My Cloud services in March, during which a hacker group demanded a considerable ransom in exchange for the return of private customer data. By mid-May, Western Digital had re-established My Cloud services, and multiple software updates and security fixes were issued.

Per the security bulletin released by the company, devices with firmware versions below 5.26.202 will be unable to access Western Digital cloud services from June 15, 2023, onwards. This means users will not be able to access their data via mycloud.com or the My Cloud OS 5 mobile app until their devices are updated to the latest firmware. Nevertheless, data access through Local Access remains available. These firmware updates are primarily designed to prevent unauthorized access and thwart potential ransomware attacks. However, Western Digital has not given updates regarding any ongoing discussions with the hacker group involved in the spring data breach.

The company's bulletin emphasizes that firmware updates are routinely distributed for My Cloud, My Cloud Home, and SanDisk ibi devices to increase security and improve reliability.

The following products require the respective firmware versions:

  • My Cloud PR2100, PR4100, EX4100, EX2 Ultra, Mirror G2, DL2100, DL4100, EX2100, My Cloud, and WD Cloud: 5.26.202 or later
  • My Cloud Home, My Cloud Home Duo, and SanDisk ibi: 9.4.1-101 or later.

Bleeping Computer's report included this information: "The above firmware versions were released on May 15, 2023, fixing the following four vulnerabilities:"

  • CVE-2022-36327: Critical severity (CVSS v3.1: 9.8) path traversal flaw allowing an attacker to write files to arbitrary filesystem locations, leading to unauthenticated (authentication bypass) remote code execution on My Cloud devices.
  • CVE-2022-36326: Uncontrolled resource consumption issue triggered by specially crafted requests sent to vulnerable devices, causing DoS. (medium severity)
  • CVE-2022-36328: Path traversal flaw allowing an authenticated attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users, and device configurations. (medium severity)
  • CVE-2022-29840: Server-Side Request Forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback. (medium severity)

Western Digital Implements New Security Measures for My Cloud Products: Firmware Update Required


Share this content
Twitter Facebook Reddit WhatsApp Email Print