Security News > 2022 > March > Western Digital patches Samba bug giving root on My Cloud devices

Western Digital patches Samba bug giving root on My Cloud devices
2022-03-26 14:00

Western Digital has fixed a critical severity vulnerability that enabled attackers to gain remote code execution with root privileges on unpatched My Cloud OS 5 devices.

This flaw is an out-of-bounds heap read/write in the Samba vfs fruit VFS module.

It can be exploited by unauthenticated threat actors in low complexity attacks targeting My Cloud devices running vulnerable firmware versions.

"This specific flaw exists within the parsing of extended attributes metadata when opening a file in smbd," the data storage company explained.

"This vulnerability can be exploited by unauthenticated users if they are allowed write access to file extended attributes."

While default configurations are exposed to attacks, threat actors need write access to a file's extended attributes.


News URL

https://www.bleepingcomputer.com/news/security/western-digital-patches-samba-bug-giving-root-on-my-cloud-devices/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Samba 5 2 72 45 9 128