5.26.202: months to get security updates MCH got end of January

My Cloud OS 5 Personal & Network Attached Storage My Cloud EX Series
1

Hello,

So after months of waiting (longest period ever), we finally got an update to OS 5.

A minor update, a sole build increase.

Western Digital released the security details, a few days ago. It appears that many security issues had been already fixed with the firmware update that the My Cloud Home got at the end of January.

It’s a bit of a pity that the more professional NAS had to wait this long to have them fixed.

See: WDC-23006 My Cloud Firmware Version 5.26.202 | Western Digital

CVE-2022-36326 Detail
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This can only be exploited once an attacker gains root privileges on the devices using an authentication bypass issue or another vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.

CVE-2022-36327 Detail
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability that could allow an attacker to write files to locations with certain critical filesystem types leading to remote code execution was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.

CVE-2022-36328 Detail
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability that could allow an attacker to create arbitrary shares on arbitrary directories and exfiltrate sensitive files, passwords, users and device configurations was discovered in Western Digital My Cloud Home, My Cloud Home Duo, SanDisk ibi and Western Digital My Cloud OS 5 devices. This can only be exploited once an attacker gains root privileges on the devices using an authentication bypass issue or another vulnerability.This issue affects My Cloud Home and My Cloud Home Duo: before 9.4.0-191; ibi: before 9.4.0-191; My Cloud OS 5: before 5.26.202.

Best,

2

this update first made my shared folders unreachable, then I entered the admin UI, and everything there seemed stuck, like no network usage.
I rebooted the drive, and now my shared folders work but I cannot log in to the UI, I’m getting in using my own password, then it asks me to create a new user and password :frowning: then stuck with a message “updating”.
looks like the request is getting 504 timeout.

3

Have you opened a Support Case? If not opened, for more information, please contact the WD Technical Support team for the best assistance and troubleshooting:
https://support-en.wd.com/app/ask