CVE-2022-29844
published 2023-01-26CVE-2022-29844: A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write…
PriorityP277critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.41%
98.3th percentile
A vulnerability in the FTP service of Western Digital My Cloud OS 5 devices running firmware versions prior to 5.26.119 allows an attacker to read and write arbitrary files. This could lead to a full NAS compromise and would give remote execution capabilities to the attacker.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| western_digital | my_cloud | >= My Cloud OS 5 < 5.26.119 | 5.26.119 |
| westerndigital | my_cloud_dl2100_firmware | < 5.26.119 | 5.26.119 |
| westerndigital | my_cloud_dl4100_firmware | < 5.26.119 | 5.26.119 |
| westerndigital | my_cloud_ex2100_firmware | < 5.26.119 | 5.26.119 |
| westerndigital | my_cloud_ex2_ultra_firmware | < 5.26.119 | 5.26.119 |
| westerndigital | my_cloud_ex4100_firmware | < 5.26.119 | 5.26.119 |
| westerndigital | my_cloud_mirror_g2_firmware | < 5.26.119 | 5.26.119 |
| westerndigital | my_cloud_pr2100_firmware | < 5.26.119 | 5.26.119 |
| westerndigital | my_cloud_pr4100_firmware | < 5.26.119 | 5.26.119 |
Detection & IOCsextracted from sources · hover to see the quote
othershodan:http.favicon.hash:-1074357885
otherfofa:icon_hash=-1074357885
yara
words: ['WDMyCloud', 'Cloud_Connection_StatusID', 'my_cloud_os', 'WD Privacy Statement']
- →Exploit sends an FTP USER command with a username payload exceeding 2048 bytes to trigger a buffer overflow in douser(), overwriting the global 'loggedin' variable to bypass authentication without a password. ↗
- →Arbitrary file read of /etc/NAS_CFG/ftp.xml via FTP RETR is a key reconnaissance step in the exploit chain; alert on unauthenticated or anomalous FTP RETR requests targeting this path. ↗
- →FTP STOR command used for arbitrary file write (e.g., dropping a webshell/backdoor); must be preceded by a PORT command (active mode). Monitor for FTP PORT + STOR sequences from unauthenticated or anomalous sessions on WD My Cloud devices. ↗
- →Detect WD My Cloud panel exposure by matching HTTP response body for strings 'WDMyCloud', 'Cloud_Connection_StatusID', 'my_cloud_os', or 'WD Privacy Statement' with HTTP 200 status.
- →The exploit targets the Pure-FTPd-based FTP service patched by Western Digital; the vulnerable firmware version is prior to 5.26.119. Confirm exposure by checking firmware version on My Cloud Pro Series PR4100 devices. ↗
- ·The authentication bypass leaves the FTP process running as root (no setuid() call), which affects ACL checks — root is not treated as 'admin' by Get_Share_Permission(), but Public shares (#@allaccount#) remain writable. ↗
- ·The exploit only works when the FTP service is activated on the device; if FTP is disabled, the attack surface does not exist. ↗
- ·The overflow payload must not contain NULL bytes (except the terminating one), which constrains the attacker's ability to place arbitrary data in the overwritten region. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
WD My Cloud Panel - Detect
nuclei
CVE-2022-29844 WD My Cloud Panel - Detect
WD My Cloud Panel - Detect
Template:
id: wd-mycloud-panel
info:
name: WD My Cloud Panel - Detect
author: DhiyaneshDk
severity: info
reference:
- https://www.zerodayinitiative.com/blog/2023/4/19/cve-2022-29844-a-classic-buffer-overflow-on-the-western-digital-my-cloud-pro-series-pr4100
classification:
cpe: cpe:2.3:a:western_digital:mycloud_nas:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: western_digital
product: mycloud_nas
shodan-query: http.favicon.hash:-1074357885
fofa-query: icon_hash=-1074357885
tags: panel,login,mycloud,wd,detect,western_digital,discovery
http:
- method: GET
path:
- "{{BaseURL}}"
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'WDMyCloud'
- 'Cloud_Connection_StatusID'
- 'my_cloud_os'
- 'WD Privacy Statement'
condition: or
- t
Trendmicro
CVE-2022-29844: Classic Buffer Overflow on My Cloud Pro Series PR4100
blogs_trendmicro·2023-04-20·CVSS 6.7
CVE-2022-29844 [MEDIUM] CVE-2022-29844: Classic Buffer Overflow on My Cloud Pro Series PR4100
# CVE-2022-29844: A Classic Buffer Overflow on the Western Digital My Cloud Pro Series PR4100
Learn to stop CVE-2022-29844: classic buffer overflow on My Cloud Pro Series PR4100
By: Zero Day Initiative
2023/04/20
Read time: ( words)
Save to Folio
This post covers an exploit chain demonstrated by Luca Moro (@johncool__) during Pwn2Own Toronto 2022. At the contest, he used a classic buffer overflow to gain code execution on the My Cloud Pro Series PR4100 Network Attached Storage (NAS) device. He also displayed a nifty message on the device. Luca’s successful entry earned him $40,000 and 4 points towards Master of Pwn. All Pwn2Own entries are accompanied by a full whitepaper describing the vulnerabilities being used and how they were exploited. The following blog is an excerpt from that
Trendmicro
CVE-2022-29844: Classic Buffer Overflow on My Cloud Pro Series PR4100
blogs_trendmicro·2023-04-20·CVSS 6.7
CVE-2022-29844 [MEDIUM] CVE-2022-29844: Classic Buffer Overflow on My Cloud Pro Series PR4100
## CVE-2022-29844: A Classic Buffer Overflow on the Western Digital My Cloud Pro Series PR4100
Learn to stop CVE-2022-29844: classic buffer overflow on My Cloud Pro Series PR4100
By: Zero Day Initiative 2023/04/20 Read time: ( words)
Save to Folio
This post covers an exploit chain demonstrated by Luca Moro ( @johncool__ ) during Pwn2Own Toronto 2022. At the contest, he used a classic buffer overflow to gain code execution on the My Cloud Pro Series PR4100 Network Attached Storage (NAS) device. He also displayed a nifty message on the device. Luca’s successful entry earned him $40,000 and 4 points towards Master of Pwn. All Pwn2Own entries are accompanied by a full whitepaper describing the vulnerabilities being used and how they were exploited. The following blog is an excerpt from tha
Trendmicro
CVE-2022-29844: Classic Buffer Overflow on My Cloud Pro Series PR4100
blogs_trendmicro·2023-04-20·CVSS 6.7
CVE-2022-29844 [MEDIUM] CVE-2022-29844: Classic Buffer Overflow on My Cloud Pro Series PR4100
## CVE-2022-29844: A Classic Buffer Overflow on the Western Digital My Cloud Pro Series PR4100
Learn to stop CVE-2022-29844: classic buffer overflow on My Cloud Pro Series PR4100
By: Zero Day Initiative Apr 20, 2023 Read time: ( words)
Save to Folio
This post covers an exploit chain demonstrated by Luca Moro ( @johncool__ ) during Pwn2Own Toronto 2022. At the contest, he used a classic buffer overflow to gain code execution on the My Cloud Pro Series PR4100 Network Attached Storage (NAS) device. He also displayed a nifty message on the device. Luca’s successful entry earned him $40,000 and 4 points towards Master of Pwn. All Pwn2Own entries are accompanied by a full whitepaper describing the vulnerabilities being used and how they were exploited. The following blog is an excerpt from t
2023-01-26
Published