CVE-2021-36226
https://notcve.org/view.php?id=CVE-2021-36226
Western Digital My Cloud devices before OS5 do not use cryptographically signed Firmware upgrade files. • https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/weekend_destroyer/weekend_destroyer.md https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users https://www.youtube.com/watch?v=vsg9YgvGBec • CWE-347: Improper Verification of Cryptographic Signature •
CVE-2021-36224
https://notcve.org/view.php?id=CVE-2021-36224
Western Digital My Cloud devices before OS5 have a nobody account with a blank password. • https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/weekend_destroyer/weekend_destroyer.md https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users https://www.youtube.com/watch?v=vsg9YgvGBec • CWE-798: Use of Hard-coded Credentials •
CVE-2021-36225
https://notcve.org/view.php?id=CVE-2021-36225
Western Digital My Cloud devices before OS5 allow REST API access by low-privileged accounts, as demonstrated by API commands for firmware uploads and installation. • https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Tokyo_2020/weekend_destroyer/weekend_destroyer.md https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users https://www.youtube.com/watch?v=vsg9YgvGBec • CWE-862: Missing Authorization •
CVE-2022-29839 – Remote Backups Application Discloses Stored Credentials
https://notcve.org/view.php?id=CVE-2022-29839
Insufficiently Protected Credentials vulnerability in the remote backups application on Western Digital My Cloud devices that could allow an attacker who has gained access to a relevant endpoint to use that information to access protected data. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux. Vulnerabilidad de credenciales insuficientemente protegidas en la aplicación de copias de seguridad remotas en dispositivos Western Digital My Cloud que podría permitir que un atacante que haya obtenido acceso a un endpoint relevante use esa información para acceder a datos protegidos. Este problema afecta: Versiones de Western Digital My Cloud My Cloud anteriores a la 5.25.124 en Linux. • https://www.westerndigital.com/support/product-security/wdc-22019-my-cloud-firmware-version-5-25-124 • CWE-522: Insufficiently Protected Credentials •
CVE-2022-29838 – Authentication issue with the encrypted volumes and auto mount feature in My Cloud devices
https://notcve.org/view.php?id=CVE-2022-29838
Improper Authentication vulnerability in the encrypted volumes and auto mount features of Western Digital My Cloud devices allows insecure direct access to the drive information in the case of a device reset. This issue affects: Western Digital My Cloud My Cloud versions prior to 5.25.124 on Linux. La vulnerabilidad de autenticación inadecuada en los volúmenes cifrados y las funciones de montaje automático de los dispositivos Western Digital My Cloud permite un acceso directo inseguro a la información de la unidad en el caso de un reinicio del dispositivo. Este problema afecta: Versiones de Western Digital My Cloud My Cloud anteriores a la 5.25.124 en Linux. • https://www.westerndigital.com/support/product-security/wdc-22019-my-cloud-firmware-version-5-25-124 • CWE-287: Improper Authentication •