OS Command Injection vulnerability in Western Digital My Cloud devices

Vulnerability

A command injection vulnerability (CWE-78) exists in Western Digital My Cloud OS 5 devices prior to version 5.26.119. The flaw resides in a CGI script that reads files from a privileged location and constructs a system command without sanitizing the read data. An attacker can exploit this by sending a specially crafted request to the vulnerable endpoint, leading to arbitrary command execution as root.

Exploitation

No authentication is required. An attacker with network access to the device can trigger the vulnerable command path by sending a malicious HTTP request. The request causes the CGI script to read attacker-controlled data from a privileged file and then pass that data directly into a system command without sanitization, resulting in command execution. No user interaction is needed.

Impact

Successful exploitation allows an attacker to execute arbitrary operating system commands with root privileges. This can lead to full compromise of the device, including data exfiltration, installation of persistent backdoors, and potentially using the device as a pivot point for further attacks on the local network.

Mitigation

Western Digital released firmware version 5.26.119 on January 10, 2023, which fixes this vulnerability. All affected My Cloud OS 5 models (PR2100, PR4100, EX4100, EX2 Ultra, Mirror G2, DL2100, DL4100, EX2100, My Cloud, and WD Cloud) should be updated to this version promptly. No workarounds are documented; updating the firmware is the recommended mitigation [1].