Command Injection Vulnerability in Western Digital My Cloud devices

Vulnerability

A command injection vulnerability exists in a CGI file of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119. The software fails to properly neutralize special elements in user-supplied input, allowing an attacker to inject arbitrary system commands. Affected models include My Cloud PR2100, PR4100, EX4100, EX2 Ultra, Mirror G2, DL2100, DL4100, EX2100, My Cloud, and WD Cloud [1].

Exploitation

An attacker can exploit this vulnerability remotely by sending a specially crafted request to the vulnerable CGI file. No authentication is required, and the attack does not require user interaction. The advisory notes that the command injection can be triggered remotely to achieve code execution [1].

Impact

Successful exploitation allows an attacker to execute arbitrary commands in the context of the root user, leading to full compromise of the device, including data disclosure, modification, and potential use as a pivot point for further attacks.

Mitigation

Western Digital released firmware version 5.26.119 on January 10, 2023, which addresses this vulnerability. Users are advised to update their devices promptly via the firmware update notification [1]. No workarounds are provided; updating to the fixed version is the only mitigation.