Security News > 2022 > March > Western Digital fixes critical bug giving root on My Cloud NAS devices
Western Digital has fixed a critical severity vulnerability that enabled attackers to gain remote code execution with root privileges on unpatched My Cloud OS 5 devices.
This flaw is an out-of-bounds heap read/write in the Samba vfs fruit VFS module.
It can be exploited by unauthenticated threat actors in low complexity attacks targeting My Cloud devices running vulnerable firmware versions.
"This specific flaw exists within the parsing of extended attributes metadata when opening a file in smbd," the data storage company explained.
"This vulnerability can be exploited by unauthenticated users if they are allowed write access to file extended attributes."
While default configurations are exposed to attacks, threat actors need write access to a file's extended attributes.