Western Digital has taken action to block access to its cloud services for devices running firmware versions that are impacted by a critical security vulnerability. This decision was implemented on June 15, following the release of firmware updates for the company's My Cloud product line to address multiple security defects, including a critical path traversal bug that could lead to remote code execution (RCE). The vulnerability is identified as CVE-2022-36327 and has a CVSS severity score of 9.8/10. A NIST advisory states that the flaw “could allow an attacker to write files to locations with certain critical filesystem types.”
The vulnerability affects Western Digital’s My Cloud Home, My Cloud Home Duo, SanDisk ibi, and My Cloud OS 5 devices. For the attackers to exploit the flaw, they must first trigger an authentication bypass vulnerability. On May 15, Western Digital released My Cloud OS 5 firmware version 5.26.202 to fix this bug as well as three other medium-severity issues. These include an uncontrolled resource consumption flaw that can lead to denial-of-service (DoS), a path traversal issue that can result in sensitive information disclosure, and a server-side request forgery (SSRF) bug that can lead to the exploitation of other vulnerabilities.
On May 26, Western Digital released firmware version 9.4.1-101 to address the SSRF bug in My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices. As of June 15, devices with firmware versions prior to 5.26.202 or 9.4.1-101 are no longer able to connect to Western Digital cloud services, as noted in the company's advisory. While users of My Cloud OS 5 can still access their data on these devices locally, those with My Cloud Home, My Cloud Home Duo, and SanDisk ibi devices will not be able to access their data until they update their devices to the latest firmware release.
By preventing unpatched devices from accessing My Cloud services, Western Digital is essentially protecting them from potential cyberattacks that could lead to severe data compromise.