CVE-2022-22991 — OS Command Injection in Digital MY Cloud

CWE-78 — OS Command Injection CWE-77 — Command Injection CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer3 documents3 sources

Severity

8.8HIGHNVD

CISA9.8

EPSS

0.1%

top 75.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Western Digital MY Cloud Westerndigital MY Cloud OS

Timeline

PublishedJan 13

Latest updateJan 18

Description

A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured HTTP call. Addressed this vulnerability by disabling checks for internet connectivity using HTTP.

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5western_digital/my_cloudMy Cloud OS 5 — 5.19.117

▶NVDwesterndigital/my_cloud_os< 5.19.117

🔴Vulnerability Details

GHSA

GHSA-5pf6-pvrw-qjr7: A malicious user on the same LAN could use DNS spoofing followed by a command injection attack to trick a NAS device into loading through an unsecured↗2022-01-14

▶

📋Vendor Advisories

CISA

F5 BIG-IP Traffic Management Microkernel Buffer Overflow↗2022-01-18

▶