Western Digital My Cloud OS 5 devices Command Injection Vulnerability

Vulnerability

A command injection vulnerability exists in the DDNS service configuration of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119. The vulnerability allows an attacker to inject arbitrary system commands through the DDNS configuration functionality. Affected models include My Cloud PR2100, PR4100, EX4100, EX2 Ultra, Mirror G2, DL2100, DL4100, EX2100, My Cloud, and WD Cloud [1].

Exploitation

An attacker can exploit this vulnerability by sending specially crafted requests to the DDNS configuration endpoint of the device. No authentication is required to reach the vulnerable functionality, making it remotely exploitable over the network [1].

Impact

Successful exploitation enables the attacker to execute arbitrary commands in the context of the root user, resulting in full compromise of the device, including data access, further propagation, and potential persistence [1].

Mitigation

The vulnerability is fixed in My Cloud OS 5 firmware version 5.26.119, published on January 10, 2023 [1]. Users are advised to update their devices to this or later firmware versions. No workaround is available; updating is the only mitigation.