Western Digital fixes critical security vulnerabilities in My Cloud NAS systems

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,519
Western Digital is patching vulnerabilities in the My Cloud OS 3 firmware of the My Cloud EX2, My Cloud EX4 and My Cloud Mirror NAS systems that could allow attackers to gain full access to the devices.

The manufacturer describes only one of the critical vulnerabilities (server-side request forgery) in concrete terms, whereby attackers could use manipulated requests to establish connections to the local network, explore it and possibly penetrate further (CVE-2021-40438, CVSS 9.0, risk critical).

In the security advisory, Western Digital explains that the vulnerabilities are due to the Apache server used. The three other CVE entries CVE-2021-39275 (CVSS 9.8, critical), CVE-2021-34798 (CVSS 7.5, high) and CVE-2021-36160 (CVSS 7.5, high) describe further gaps. Attackers could use this to trigger a buffer overflow and possibly execute injected code. The two latter vulnerabilities could potentially cause attackers to crash the server.