Security News > 2022 > March > Western Digital fixes critical bug giving root on My Cloud NAS devices
Western Digital has fixed a critical severity vulnerability that enabled attackers to gain remote code execution with root privileges on unpatched My Cloud OS 5 devices.
This flaw is an out-of-bounds heap read/write in the Samba vfs fruit VFS module.
It can be exploited by unauthenticated threat actors in low complexity attacks targeting My Cloud devices running vulnerable firmware versions.
"This specific flaw exists within the parsing of extended attributes metadata when opening a file in smbd," the data storage company explained.
"This vulnerability can be exploited by unauthenticated users if they are allowed write access to file extended attributes."
While default configurations are exposed to attacks, threat actors need write access to a file's extended attributes.
News URL
Related news
- Why digital resilience is critical to banks (source)
- Cisco Patches Critical ISE Vulnerabilities Enabling Root CmdExec and PrivEsc (source)
- Critical Cisco ISE bug can let attackers run commands as root (source)
- Google Announces Quantum-Safe Digital Signatures in Cloud KMS, Takes “Post-Quantum Computing Risks Seriously” (source)
- Google Cloud introduces quantum-safe digital signatures in KMS (source)
- Google Cloud KMS Adds Quantum-Safe Digital Signatures to Defend Against Future Threats (source)