CVE-2024-22169

Vulnerability

Description CVE-2024-22169 is a misconfiguration in the Node.js environment settings of WD Discovery versions prior to 5.0.589. The vulnerability allows an attacker to utilize the ELECTRON_RUN_AS_NODE environment variable to execute arbitrary code within the context of the WD Discovery application [1]. This is due to insecure Electron fuses and Node.js settings that were not properly disabled [1].

Attack

Vector and Exploitation Any malicious application operating with standard user permissions can exploit this vulnerability [1]. The attack requires the victim to have the WD Discovery application installed on their device [1]. The attacker must be able to set the environment variable before WD Discovery starts, which could be achieved through a separate compromised application or script running on the same machine.

Impact

Successful exploitation enables code execution within the WD Discovery application's context [1]. This could allow an attacker to perform actions with the same privileges as the WD Discovery app, potentially accessing files, system resources, or other sensitive data that the application has access to.

Mitigation

Western Digital addressed this vulnerability in WD Discovery version 5.0.589 by disabling certain features and fuses in Electron [1]. Users are automatically prompted to update, or they can download the latest version from the WD Discovery Downloads page [1].