CVE-2024-22170 (CVSS 9.2): Western Digital Addresses Critical Flaw in My Cloud Devices

My Cloud OS 5 - CVE-2024-22170

Western Digital has released a security advisory addressing a high-severity vulnerability (CVE-2024-22170) impacting a range of My Cloud devices. The vulnerability, which carries a CVSS score of 9.2, could allow attackers to execute arbitrary code on affected devices, potentially leading to unauthorized access, data breaches, and other malicious activities.

The flaw resides in the Dynamic DNS client and stems from an unchecked buffer. This weakness can be exploited by attackers through a Man-in-the-Middle (MitM) attack, enabling them to inject malicious payloads into Dynamic DNS update requests, causing a buffer overflow. This, in turn, could lead to the execution of arbitrary code, granting attackers significant control over the compromised device.

Western Digital would like to thank Claroty Research – Team82 – Noam Moshe, working with Trend Micro Zero Day Initiative, for their responsible disclosure of this vulnerability.

The following My Cloud devices are vulnerable to the CVE-2024-22170 flaw:

  • My Cloud EX2 Ultra
  • My Cloud EX4100
  • My Cloud PR2100
  • My Cloud PR4100
  • My Cloud
  • My Cloud Mirror G2
  • My Cloud EX2100
  • My Cloud DL2100
  • My Cloud DL4100
  • WD Cloud

Western Digital has addressed the vulnerability in My Cloud OS 5 Firmware version 5.29.102. Users are strongly urged to update their devices to this version immediately to protect their data and systems from potential exploitation.

Related Posts: