Western Digital reports critical flaw in My Cloud Devices
Learn More
A critical vulnerability has been identified in Western Digital’s My Cloud devices enabling attackers to execute arbitrary code. Western Digital’s My Cloud devices are a line of network-attached storage (NAS) systems designed for personal and small business use.
The flaw is tracked as CVE-2024-22170 (CVSS score 9.2) and resides in the Dynamic DNS client of the affected devices and stems from an unchecked buffer, which can be exploited through a Man-in-the-Middle (MitM) attack. This vulnerability allows attackers to execute arbitrary code by intercepting a Dynamic DNS update request and injecting a malicious payload, leading to a buffer overflow.
If successfully exploited, this vulnerability could result in unauthorized access to sensitive information, data corruption, system crashes, or making the device unavailable.
Affected Devices:
- My Cloud EX2 Ultra
- My Cloud EX4100
- My Cloud PR2100
- My Cloud PR4100
- My Cloud
- My Cloud Mirror G2
- My Cloud EX2100
- My Cloud DL2100
- My Cloud DL4100
- WD Cloud
Western Digital has released My Cloud OS 5 Firmware version 5.29.102, which patches this critical flaw. Users are strongly advised to update their devices to this firmware version immediately to mitigate potential exploitation.
To further enhance security, users should consider:
- Implementing network segmentation to limit access to vulnerable devices
- Regularly monitoring system logs for unusual activity
