T0@st
News Editor
- Joined
- Mar 7, 2023
- Messages
- 2,077 (3.17/day)
- Location
- South East, UK
News reports about Western Digital's implementation of new security measures started appearing online last week—My Cloud product owners were puzzled upon discovering that their access to cloud services had been blocked. Devices not updated with the latest firmware - version 5.26.202 (My Cloud) and 9.4.1-101 (My Cloud Home, SanDisk ibi) - were and continue to be barred from the start date effective June 15. This relatively new measure has been implemented in order to prevent further exploits of security vulnerabilities. WD is likely shoring up its online defenses following a major cyber attack on its My Cloud back in March, a hacker group demanded a hefty ransom fee for the return of private customer data. WD restored My Cloud services by mid-May, and released several software updates and security fixes.
According to a company security bulletin (issued last week): "Devices on firmware below 5.26.202 will not be able to connect to Western Digital cloud services starting June 15, 2023, and users will not be able to access data on their device through mycloud.com and the My Cloud OS 5 mobile app until they update the device to the latest firmware...Users can continue to access their data via Local Access." The latest fixes should protect customers from unauthorized access and ransomware attacks, but WD has not provided any further news about any ongoing negotiations with the hacker group behind the Spring data breach.
WD's bulletin states: "We periodically release firmware updates to the My Cloud, My Cloud Home and SanDisk ibi devices to improve device security and reliability."
Their list includes the following products:
Bleeding Computer's report included this information: "The above firmware versions were released on May 15, 2023, fixing the following four vulnerabilities:"
View at TechPowerUp Main Site | Source
According to a company security bulletin (issued last week): "Devices on firmware below 5.26.202 will not be able to connect to Western Digital cloud services starting June 15, 2023, and users will not be able to access data on their device through mycloud.com and the My Cloud OS 5 mobile app until they update the device to the latest firmware...Users can continue to access their data via Local Access." The latest fixes should protect customers from unauthorized access and ransomware attacks, but WD has not provided any further news about any ongoing negotiations with the hacker group behind the Spring data breach.
WD's bulletin states: "We periodically release firmware updates to the My Cloud, My Cloud Home and SanDisk ibi devices to improve device security and reliability."
Their list includes the following products:
- My Cloud PR2100 - 5.26.202 or later
- My Cloud PR4100 - 5.26.202 or later
- My Cloud EX4100 - 5.26.202 or later
- My Cloud EX2 Ultra - 5.26.202 or later
- My Cloud Mirror G2 - 5.26.202 or later
- My Cloud DL2100 - 5.26.202 or later
- My Cloud DL4100 - 5.26.202 or later
- My Cloud EX2100 - 5.26.202 or later
- My Cloud - 5.26.202 or later
- WD Cloud - 5.26.202 or later
- My Cloud Home - 9.4.1-101 or later
- My Cloud Home Duo - 9.4.1-101 or later
- SanDisk ibi - 9.4.1-101 or later
Bleeding Computer's report included this information: "The above firmware versions were released on May 15, 2023, fixing the following four vulnerabilities:"
- CVE-2022-36327: Critical severity (CVSS v3.1: 9.8) path traversal flaw allowing an attacker to write files to arbitrary filesystem locations, leading to unauthenticated (authentication bypass) remote code execution on My Cloud devices.
- CVE-2022-36326: Uncontrolled resource consumption issue triggered by specially crafted requests sent to vulnerable devices, causing DoS. (medium severity)
- CVE-2022-36328: Path traversal flaw allowing an authenticated attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users, and device configurations. (medium severity)
- CVE-2022-29840: Server-Side Request Forgery (SSRF) vulnerability that could allow a rogue server on the local network to modify its URL to point back to the loopback. (medium severity)
View at TechPowerUp Main Site | Source