CVE-2024-22169: Western Digital’s WD Discovery App Exposed to Code Execution Vulnerability
Western Digital, a leading provider of storage solutions, has issued a security advisory regarding a vulnerability (CVE-2024-22169, CVSS 7.1) discovered in their WD Discovery Desktop App. This flaw could allow attackers to execute malicious code on users’ systems, potentially compromising sensitive data and system integrity.
Technical Breakdown:
The vulnerability stems from a misconfiguration in the Node.js environment settings within the WD Discovery app. By manipulating specific environment variables, an attacker could exploit this flaw to execute arbitrary code within the context of the application. This could lead to unauthorized access, data theft, or even a complete system takeover.
Security researchers YoKo Kho, Fahad Alamri, and AbdulKarim from HakTrak Cybersecurity Squad are credited with discovering and reporting this vulnerability.
Who’s Affected:
All users of WD Discovery Desktop App versions prior to 5.0.589 are vulnerable to this attack. The vulnerability affects both Windows and macOS users.
Immediate Action Required:
Western Digital urges all users to immediately update their WD Discovery app to version 5.0.589 [Windows, Mac] or later. This update addresses the vulnerability by disabling certain features and hardening the Electron framework used in the app.