Western Digital My Cloud OS 5 arbitrary file read and write vulnerability via ftp

Vulnerability

The FTP service in Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 contains a path traversal vulnerability that allows an unauthenticated attacker to read and write arbitrary files on the device. This affects all supported My Cloud models, including PR2100, PR4100, EX4100, EX2 Ultra, Mirror G2, DL2100, DL4100, EX2100, My Cloud, and WD Cloud [1].

Exploitation

An attacker can exploit this vulnerability over the network without any authentication or user interaction by sending specially crafted FTP commands that traverse the filesystem. The FTP service runs with elevated privileges, enabling access to sensitive system files [1].

Impact

Successful exploitation allows the attacker to read and write arbitrary files on the NAS, potentially leading to full compromise of the device. By writing malicious files (e.g., cron jobs, scripts, or configuration files), the attacker can achieve remote code execution with root privileges, giving them full control over the NAS [1].

Mitigation

Western Digital has addressed this vulnerability in firmware version 5.26.119, released on January 10, 2023. Users should update their My Cloud devices to the latest firmware immediately. No workarounds are available if patching is not possible [1].